[ARGUS] Syn traffic tracking
Carter Bullard
carter at qosient.com
Thu Dec 16 11:54:19 EST 2004
Ahhhhhh, real contributions. Be sure and send it to the list so
it gets captured in the mailing archive, and THANKS!!!!
I am going to wall myself up into a closet after New Years, so
I can get some time to work on argus (sorry I haven't been able
to get to it recently) and get the site pumped a bit better.
Hopefully all the work by Mike, Peter, Andrew, Russell and Steve
can get into the release and on the web site.
Hope you have a great holiday season!!!!
Carter
> From: John Nagro <john.nagro at gmail.com>
> Reply-To: John Nagro <john.nagro at gmail.com>
> Date: Thu, 16 Dec 2004 11:43:20 -0500
> To: Carter Bullard <carter at qosient.com>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Syn traffic tracking
>
> Thanks Carter! once again you save the day.
>
> I am compiling some docs on how to use argus (for my systems group
> here), i'll be sure to shoot you guys a copy. It will contain this
> sort of stuff. Maybe you guys could put it on your site? your site
> doesnt contain a lot of these examples.
>
> -John
>
>
> On Thu, 16 Dec 2004 11:28:03 -0500, Carter Bullard <carter at qosient.com> wrote:
>> Ooooops, a typo in a filter, the final command should be:
>>
>> ra -r file -w - - dst host x.y.z.w and tcp and syn and not \
>> (synack or data) | ragator -f ragator.conf -w - | racount
>>
>> Carter
>>
>>> From: Carter Bullard <carter at qosient.com>
>>> Date: Thu, 16 Dec 2004 11:20:44 -0500
>>> To: John Nagro <john.nagro at gmail.com>, Argus
>>> <argus-info at lists.andrew.cmu.edu>
>>> Subject: Re: [ARGUS] Syn traffic tracking
>>>
>>> Hey John,
>>> So if you want to process just those attempts that have
>>> Syn's and nothing else, use a filter like:
>>>
>>> ra -r file - tcp and syn and not (synack or data)
>>>
>>> If you want those records that specifically have a reset response use:
>>>
>>> ra -r file - tcp and syn and reset and not (synack or data)
>>>
>>> remember you may have to escape the '(' depending on the shell
>>> you are using.
>>>
>>>
>>> Once you have the records, you can use ragator() to aggregate
>>> the records based on source address, ignoring all other fields,
>>> using the ragator.conf file below.
>>>
>>> So to count the number of hosts that have sent just Tcp SYN's
>>> to a given host:
>>>
>>> ra -r file -w - - dst host x.y.z.w and tcp and sync and not \
>>> (synack or data) | ragator -f ragator.conf -w - | racount
>>>
>>>
>>> Give it a try, and if it doesn't do what you think, just holler to
>>> the list.
>>>
>>>
>>> Carter
>>>
>>>
>>> ---- begin ragator.conf ------
>>> #
>>> #
>>> # id SrcCIDRAddr DstCIDRAddr Proto SPort DPort Model Dur Idle
>>> Flow 100 ip * * * * * 200 60 0
>>>
>>> # TCP and UDP Flow Model Definitions
>>> # label id SrcAddrMask DstAddrMask Proto SPort DPort
>>>
>>> Model 200 ip 255.255.255.255 0.0.0.0 yes no no
>>>
>>> -----end ragator.conf -------
>>>
>>>
>>> Carter
>>>
>>>
>>>
>>>
>>>> From: John Nagro <john.nagro at gmail.com>
>>>> Reply-To: John Nagro <john.nagro at gmail.com>
>>>> Date: Thu, 16 Dec 2004 10:50:22 -0500
>>>> To: <argus-info at lists.andrew.cmu.edu>
>>>> Subject: [ARGUS] Syn traffic tracking
>>>>
>>>> Howdy,
>>>>
>>>> Whats a decent way to show hosts and the amount of syn traffic they
>>>> have produced? i am trying to see if a particular machine on my
>>>> network had a lot of syn traffic during a particular time, and if so,
>>>> was it from a few hosts? a lot of hosts? one host?
>>>>
>>>> Thanks!
>>>>
>>>> -John
>>>>
>>>> --
>>>> John Nagro
>>>> john.nagro at gmail.com
>>>>
>>>
>>>
>>>
>>
>>
>
>
> --
> John Nagro
> john.nagro at gmail.com
>
More information about the argus
mailing list