[ARGUS]

Russell Fulton r.fulton at auckland.ac.nz
Thu May 13 17:22:00 EDT 2004 

On Fri, 2004-05-14 at 10:49, Glenn MacGregor wrote:
> Hi All, 
> 
> I am using ramon -M hostsvc to figure out what services are running on my 
> network. I thought this would be what I wanted but it seems the info I get is 
> actually the client ip and destination port. So I see 192.168.0.55 80, this 
> tells me that 192.168.0.55 is going to port 80 somewhere. Is there an ramon (or 
> someother ra*) command that will tell me the destination address and destination 
> port. I want this so I can see all the services in my network, and what servers 
> provide those services. 

 ramon -M hostsvc dst net <local-net>

eg  ramon -M hostsvc dst net 130.216
> 
> Also ragator, I have read the amn page but am still unclear on the purpose. How 
> does it merge records? If I hit a website: 
> 
> SrcIP            DstIP            SPort   DPort 
> 192.168.0.100    www.google.com   35067   80 
> 
> and it responds: 
> 
> SrcIP            DstIP           SPort   DPort 
> www.google.com   192.168.0.100   80(?)   35067 
> 
> With ra I will see 2 records, correct? Will ragator merge these two records into 
> one? 

ummm normally argus will merge these automatically -- the only time you
should see www.google.com   192.168.0.100   80(?)   35067  is when the
server send stuff (eg. RSTs or FINs after argus thought the connection
was closed).  Some IIS servers do this on a regular basis.

Ragator is really just a more flexible version of ramon (or to put it
another way, ramon is a set of canned ragator configs).  That said I use
ragator to collect up all the records for a single connection and merge
them (the default behaviour) before I archive log files.  You get
multiple records for long running flows (there is a timeout parameter --
I forget what it is called) that controls how often argus writes records
for open flows.
> 
> 
>    Thanks 
> 
>      Glenn
> 
> Glenn MacGregor
> HighStreet Networks
> 
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
-- 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!

More information about the argus mailing list