Argus duser field stays blank
Karl Tatgenhorst
karlt at uchicago.edu
Wed Aug 9 14:12:14 EDT 2006
My new argus setup is pretty near production. Doing some initial
testing I did find a few odd behaviors. The first was that some ICMP
could trigger a segfault on the argus listener. We have excellent
coverage with flows and since ICMP rarely is interesting (in the payload
department) we opted to simply filter ICMP from argus, but I thought you
might like to know. The biggest thing for RA was that I usually do s
+user on read argus, I notice it is now split suser and duser, this
seems useful enough, however, when I do ra -d 128 -ns +duser I show no
payloads. Since I have 30,000 machines on my... test network I am sure
that I should see some payloads. Anyone have any ideas? Oh yeah, source
payloads show when I do + suser.
Thanks,
Karl
More information about the argus
mailing list