argus-3.0 conformance testing and website repository

carter at qosient.com carter at qosient.com
Sat Jun 24 10:18:04 EDT 2006 

Hey Richard,
Arp can easily be represented as a bi-directional flow, where each request/response volley is an arp transaction, and the ethernet mac addresses and arp target address make up the flow key.  Programs like racluster() maintain that key definition, so that when you aggregate, say a days worth of arp data, you get aggregate flow records, one for each unique arp req/rsp tuple.

What that means, is you get one argus record for each event that arpwatch would generate, for the entire day.  

A rarpwatch() program is a no brainer, just using racluster() and perl.

What I was suggesting, is that argus does a lot more than just IP flows, and we should find tools that get close to the same type of function, in order to test them as well.

Carter 

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: "Richard Bejtlich" <taosecurity at gmail.com>
Date: Fri, 23 Jun 2006 20:40:54 
To:"Carter Bullard" <carter at qosient.com>
Cc:Argus <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] argus-3.0 conformance testing and website repository

On 6/23/06, Carter Bullard <carter at qosient.com> wrote:
> Hey Richard,
>     That would be great!!!  After I put together some standard packet
> traces into a respository, we can use any tools to see what they
> do.   The comparison may give us some ideas as to how to
> improve argus, but really (just a personal political statement)
> I could care less what they do, as long as its correct (whatever
> that means ;o)
>
>     So, I have an arp and traceroute capture file, the tools you mention
> don't do much with those, but these are real flows for argus.  We
> may have to compare argus to, what, arpwatch, in order to see what
> we could do?
>
> Carter

Hi Carter,

Maybe we could run the trace through all of the tools using an IP
filter, to get some sort of even comparison.

Arpwatch would only report the first time it sees a new MAC addr, or
when it sees a new IP addr assigned to an old MAC addr.  I'm not sure
what we could do about layer 2 sessions.

Sincerely,

Richard

More information about the argus mailing list