[ARGUS] Syn traffic tracking

John Nagro john.nagro at gmail.com
Thu Dec 16 11:43:20 EST 2004 

Thanks Carter! once again you save the day.

I am compiling some docs on how to use argus (for my systems group
here), i'll be sure to shoot you guys a copy. It will contain this
sort of stuff. Maybe you guys could put it on your site? your site
doesnt contain a lot of these examples.

-John


On Thu, 16 Dec 2004 11:28:03 -0500, Carter Bullard <carter at qosient.com> wrote:
> Ooooops, a typo in a filter, the final command should be:
> 
>    ra -r file -w - - dst host x.y.z.w and tcp and syn and not \
>        (synack or data) |  ragator -f ragator.conf -w - |  racount
> 
> Carter
> 
> > From: Carter Bullard <carter at qosient.com>
> > Date: Thu, 16 Dec 2004 11:20:44 -0500
> > To: John Nagro <john.nagro at gmail.com>, Argus <argus-info at lists.andrew.cmu.edu>
> > Subject: Re: [ARGUS] Syn traffic tracking
> >
> > Hey John,
> > So if you want to process just those attempts that have
> > Syn's and nothing else, use a filter like:
> >
> >    ra -r file - tcp and syn and not (synack or data)
> >
> > If you want those records that specifically have a reset response use:
> >
> >    ra -r file - tcp and syn and reset and not (synack or data)
> >
> > remember you may have to escape the '(' depending on the shell
> > you are using.
> >
> >
> > Once you have the records, you can use ragator() to aggregate
> > the records based on source address, ignoring all other fields,
> > using the ragator.conf file below.
> >
> > So to count the number of hosts that have sent just Tcp SYN's
> > to a given host:
> >
> >    ra -r file -w - - dst host x.y.z.w and tcp and sync and not \
> >       (synack or data) |  ragator -f ragator.conf -w - |  racount
> >
> >
> > Give it a try, and if it doesn't do what you think, just holler to
> > the list.
> >
> >
> > Carter
> >
> >
> > ---- begin ragator.conf ------
> > #
> > #
> > #     id      SrcCIDRAddr  DstCIDRAddr  Proto SPort DPort Model Dur Idle
> > Flow  100 ip      *            *          *     *    *     200   60  0
> >
> > # TCP and UDP Flow Model Definitions
> > # label  id      SrcAddrMask     DstAddrMask    Proto  SPort DPort
> >
> > Model 200 ip  255.255.255.255    0.0.0.0        yes    no    no
> >
> > -----end ragator.conf -------
> >
> >
> > Carter
> >
> >
> >
> >
> >> From: John Nagro <john.nagro at gmail.com>
> >> Reply-To: John Nagro <john.nagro at gmail.com>
> >> Date: Thu, 16 Dec 2004 10:50:22 -0500
> >> To: <argus-info at lists.andrew.cmu.edu>
> >> Subject: [ARGUS] Syn traffic tracking
> >>
> >> Howdy,
> >>
> >> Whats a decent way to show hosts and the amount of syn traffic they
> >> have produced? i am trying to see if a particular machine on my
> >> network had a lot of syn traffic during a particular time, and if so,
> >> was it from a few hosts? a lot of hosts? one host?
> >>
> >> Thanks!
> >>
> >> -John
> >>
> >> --
> >> John Nagro
> >> john.nagro at gmail.com
> >>
> >
> >
> >
> 
> 


-- 
John Nagro
john.nagro at gmail.com

More information about the argus mailing list