Argus duser field stays blank
Russell Fulton
r.fulton at auckland.ac.nz
Wed Aug 9 16:30:06 EDT 2006
Karl Tatgenhorst wrote:
>
> My new argus setup is pretty near production. Doing some initial
> testing I did find a few odd behaviors. The first was that some ICMP
> could trigger a segfault on the argus listener. We have excellent
> coverage with flows and since ICMP rarely is interesting (in the payload
> department) we opted to simply filter ICMP from argus, but I thought you
> might like to know.
This may be about to change -- in the last few days there have been
reports of spyware that use data in ICMP Echo packets to call home.
Shades of that old DDOS package with the German name that used ECR to
control the zombies.
Anyway welcome to U Chicago to the already substantial group of academic
institutions that use argus to keep a handle on what is going on on
their networks.
Russell
More information about the argus
mailing list