argus-clients-3.0.0.rc.14
Peter Van Epp
vanepp at sfu.ca
Wed Jun 28 23:01:54 EDT 2006
Time for a feature request :-). There is a neat new feature (not yet
in the man page) for the argus.conf file:
ARGUS_PACKET_CAPTURE_FILE=/home/vanepp/argus.tcp
which dumps the libpcap data to a file (which can be moved at which point it
is recreated like the argus file). I just used it to grab the fragmentation
fault that is causing argus-3.0 to stop on my backbone link. Now what I'd like
it twofold: for the error to not cause argus to exit (because that provides
a way to evade argus by continuously sending frags to keep it exited while I
attack) and instead to write the disagreeable packet in libpcap format to
a file (ARGUS_PACKET_ERROR_FILE?) so we can see what it was unhappy with and
then continue in pretty much all cases. That way argus can't be bypassed. With
sufficient hardware it can do wire speed and there isn't anything an attacker
can do to not get seen (and we get error packets to look at / fix!).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list