looking for ideas...
Carter Bullard
carter at qosient.com
Fri Nov 17 13:16:23 EST 2006
Sorry for the delay in responding.
Well, if you want to reject the scanners, look for traffic that is
"con"nected, or bidirectional. That will
get rid of most of it.
ra -r file - con
or
ra -r file - dst pkts gt 0
you can filter for traffic that has "data", if your argus is
configured to generate appbyte data. That will
allow you to pick traffic that has some aspect of data transfer,
which eliminates many of the probes
and scans and availability failures.
ra -r file - data
play with some of these to see if it generates what you're interested
in.
also check out the inverse filters to see if its rejecting what
you're not
interested in:
ra -r file - not data
Carter
On Nov 15, 2006, at 5:41 PM, poncenby smythe wrote:
> List,
>
> Does anyone know how to get the top 10 or just top IP which
> initiates the most meaningful* connections?
>
> By meaningful I mean flows that can be programmatically determined
> to be human/scheduled events with reasonable payloads and meaning,
> aiming to eliminate the IPs which repeatedly scan and could
> conceivably be the top flow initiator.
>
> Hope it makes sense,
>
> poncenby
>
More information about the argus
mailing list