[ARGUS]

Carter Bullard carter at qosient.com
Thu May 13 18:56:21 EDT 2004


Hey Russell,
   Just for completeness, the variable is called the
ARGUS_FLOW_STATUS_INTERVAL, and it controls
how long argus will wait before reporting on traffic
for an active flow.  I normally use 5 seconds,
but the default is 60 seconds.

Carter

-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Russell Fulton
Sent: Thursday, May 13, 2004 5:22 PM
To: Glenn MacGregor
Cc: argus-info at lists.andrew.cmu.edu
Subject: [ARGUS]

On Fri, 2004-05-14 at 10:49, Glenn MacGregor wrote:
> Hi All,
>
> I am using ramon -M hostsvc to figure out what services are running on my
> network. I thought this would be what I wanted but it seems the info I get
is
> actually the client ip and destination port. So I see 192.168.0.55 80,
this
> tells me that 192.168.0.55 is going to port 80 somewhere. Is there an
ramon (or
> someother ra*) command that will tell me the destination address and
destination
> port. I want this so I can see all the services in my network, and what
servers
> provide those services.

 ramon -M hostsvc dst net <local-net>

eg  ramon -M hostsvc dst net 130.216
>
> Also ragator, I have read the amn page but am still unclear on the
purpose. How
> does it merge records? If I hit a website:
>
> SrcIP            DstIP            SPort   DPort
> 192.168.0.100    www.google.com   35067   80
>
> and it responds:
>
> SrcIP            DstIP           SPort   DPort
> www.google.com   192.168.0.100   80(?)   35067
>
> With ra I will see 2 records, correct? Will ragator merge these two
records into
> one?

ummm normally argus will merge these automatically -- the only time you
should see www.google.com   192.168.0.100   80(?)   35067  is when the
server send stuff (eg. RSTs or FINs after argus thought the connection
was closed).  Some IIS servers do this on a regular basis.

Ragator is really just a more flexible version of ramon (or to put it
another way, ramon is a set of canned ragator configs).  That said I use
ragator to collect up all the records for a single connection and merge
them (the default behaviour) before I archive log files.  You get
multiple records for long running flows (there is a timeout parameter --
I forget what it is called) that controls how often argus writes records
for open flows.
>
>
>    Thanks
>
>      Glenn
>
> Glenn MacGregor
> HighStreet Networks
>
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
--
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!








More information about the argus mailing list