Multiple argus sensors

John Nagro john.nagro at gmail.com
Mon Jan 31 12:58:02 EST 2005


Thanks, i will check that out


On Mon, 31 Jan 2005 12:45:32 -0500, Carter Bullard <carter at qosient.com> wrote:
> Hey John,
>    In the argus.conf file its the ARGUS_MONITOR_ID= field, or you can
> use the '-e value'  option.  Sometimes its more useful, if your using
> an IP address as the ID, to put the actual address rather than the name.
> 
> Carter
> 
> > From: John Nagro <john.nagro at gmail.com>
> > Reply-To: John Nagro <john.nagro at gmail.com>
> > Date: Mon, 31 Jan 2005 12:31:05 -0500
> > To: Carter Bullard <carter at qosient.com>
> > Cc: Argus <argus-info at lists.andrew.cmu.edu>
> > Subject: Re: [ARGUS] Multiple argus sensors
> >
> > Carter,
> >
> > How does one go about properly setting a source ID for each sensor? i
> > looked in the config file and couldnt find it.
> >
> > -John
> >
> >
> > On Mon, 24 Jan 2005 12:10:13 -0500, Carter Bullard <carter at qosient.com> wrote:
> >> Hey John,
> >>    you can have up to 5 remote connections for any ra* program, just
> >> specify multiple -S options or put multiple servers in the
> >> .rarc file that you use for your client startup.
> >>
> >>    There are 2 fundamental problems.  Keeping the sources straight,
> >> so having good source id's for your probes is important, and time
> >> synchronization, so that the probes are in the same ball park in
> >> time.
> >>
> >>    All the ra* programs can filter based on srcid, so as long as
> >> you have good probe id's (different/consistent/same type), then
> >> you can separate the data as it comes in by probe.
> >>
> >>    The time thing is important to finding records to compare and
> >> using programs like rasort() can be used to open files from
> >> different probes and interleaving the records so you
> >> can make comparisons.
> >>
> >>    Keep the list up on anything that you run into, if you could
> >> please!!!!!
> >>
> >> Carter
> >>
> >>> From: John Nagro <john.nagro at gmail.com>
> >>> Reply-To: John Nagro <john.nagro at gmail.com>
> >>> Date: Thu, 20 Jan 2005 12:47:24 -0500
> >>> To: <argus-info at lists.andrew.cmu.edu>
> >>> Subject: [ARGUS] Multiple argus sensors
> >>>
> >>> Howdy Folks,
> >>>
> >>> A couple questrions concerning the use of multiple argus sensors. I
> >>> want to monitor more of my network now, not just inbound/outbound to
> >>> the world, but a lot of internal traffic too. Can one instance of ra
> >>> listen to multiple sensors? Do the tools understand data-overlap? How
> >>> will this effect the way i have to manage data to get usefull
> >>> information from it?
> >>>
> >>> Has anyone on the list deployed multiple sensors that work together?
> >>> What troubles did they run into?
> >>>
> >>> (this thread will probably make it into the docs i am working on for
> >>> the project so the more info the better)
> >>>
> >>> -John
> >>>
> >>> --
> >>> John Nagro
> >>> john.nagro at gmail.com
> >>>
> >>
> >>
> >
> >
> > --
> > John Nagro
> > john.nagro at gmail.com
> >
> 
> 


-- 
John Nagro
john.nagro at gmail.com



More information about the argus mailing list