[ARGUS] Syn traffic tracking

Carter Bullard carter at qosient.com
Thu Dec 16 11:28:03 EST 2004 

Ooooops, a typo in a filter, the final command should be:

   ra -r file -w - - dst host x.y.z.w and tcp and syn and not \
       (synack or data) |  ragator -f ragator.conf -w - |  racount

Carter


> From: Carter Bullard <carter at qosient.com>
> Date: Thu, 16 Dec 2004 11:20:44 -0500
> To: John Nagro <john.nagro at gmail.com>, Argus <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Syn traffic tracking
> 
> Hey John,
> So if you want to process just those attempts that have
> Syn's and nothing else, use a filter like:
> 
>    ra -r file - tcp and syn and not (synack or data)
> 
> If you want those records that specifically have a reset response use:
> 
>    ra -r file - tcp and syn and reset and not (synack or data)
> 
> remember you may have to escape the '(' depending on the shell
> you are using.
> 
> 
> Once you have the records, you can use ragator() to aggregate
> the records based on source address, ignoring all other fields,
> using the ragator.conf file below.
> 
> So to count the number of hosts that have sent just Tcp SYN's
> to a given host:
> 
>    ra -r file -w - - dst host x.y.z.w and tcp and sync and not \
>       (synack or data) |  ragator -f ragator.conf -w - |  racount
> 
> 
> Give it a try, and if it doesn't do what you think, just holler to
> the list.
> 
> 
> Carter
> 
> 
> ---- begin ragator.conf ------
> #
> # 
> #     id      SrcCIDRAddr  DstCIDRAddr  Proto SPort DPort Model Dur Idle
> Flow  100 ip      *            *          *     *    *     200   60  0
> 
> # TCP and UDP Flow Model Definitions
> # label  id      SrcAddrMask     DstAddrMask    Proto  SPort DPort
> 
> Model 200 ip  255.255.255.255    0.0.0.0        yes    no    no
> 
> -----end ragator.conf -------
> 
> 
> Carter
> 
> 
> 
> 
>> From: John Nagro <john.nagro at gmail.com>
>> Reply-To: John Nagro <john.nagro at gmail.com>
>> Date: Thu, 16 Dec 2004 10:50:22 -0500
>> To: <argus-info at lists.andrew.cmu.edu>
>> Subject: [ARGUS] Syn traffic tracking
>> 
>> Howdy,
>> 
>> Whats a decent way to show hosts and the amount of syn traffic they
>> have produced? i am trying to see if a particular machine on my
>> network had a lot of syn traffic during a particular time, and if so,
>> was it from a few hosts? a lot of hosts? one host?
>> 
>> Thanks!
>> 
>> -John
>> 
>> -- 
>> John Nagro
>> john.nagro at gmail.com
>> 
> 
> 
>

More information about the argus mailing list