FW: [ARGUS] Get active connections
Carter Bullard
carter at qosient.com
Mon Jun 28 16:59:57 EDT 2004
Hey Richard,
Well the output you're getting is not completely screwed up,
but most of it is, which is not a good thing. The only thing that
looks reasonable is the "Far 60 Mar 300" string.
The probe id looks like its little-endian, is it possible
that the probe id is really, 203.122.97.229? If you don't mind
sharing the data file, I can check it out a lot easier if I have
that!!!
So how does ratop() do with a live feed in your environment?
Rather than reading from the file being written into, which may
be the problem, just connect directly to the probe?
Carter
-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity at gmail.com]
Sent: Monday, June 28, 2004 4:44 PM
To: Carter Bullard
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: FW: [ARGUS] Get active connections
On Mon, 28 Jun 2004 11:53:28 -0400, Carter Bullard <carter at qosient.com>
wrote:
>
> Andrew is right, ratop() is the example program to try on this
> point. Do this:
>
> ratop -S probe:port - tcp
Argus continues to amaze. I should pay more attention to the
functions bundled in the tarball!
I was wondering about the output I see. I'm reading in an argus file
being saved to disk. Why is the time and date information so weird?
ratop -n -r /nsm/argus/argus.arg
Source 229.97.122.203 Version 2.0 31/12/1969 07:00P up -12597 days,
-20:-40:-17 Far 60 secs Mar 300 secs
Incidentally, the 229... doesn't match anything I have.
I'm running this on FreeBSD:
uname -a
FreeBSD sensor 5.2.1-RELEASE-p8 FreeBSD 5.2.1-RELEASE-p8 #0: Fri Jun
4 15:08:25 EDT 2004 root at drury:/usr/obj/usr/src/sys/sensor i386
Argus is using the latest 2.0.6 fixes distro.
Any ideas?
Thank you,
Richard
More information about the argus
mailing list