Directionality

[Earl]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Carter,

This works for now.  I'll ping you out-of-band if I have any
specifics.  Thanks for taking time to share the vision.

Earl

On Fri, 08 Sep 2006 10:11:04 -0400 Carter Bullard
<carter at qosient.com> wrote:
>Hey Earl,
>The changes between 2.x and 3.0 are rather extensive, and of
>course the 3.0 branch has a few bugs still, so a description of
>the
>actual changes that impact directionality is probably a bit
>premature.
>
>I can say, however, what we're trying to achieve.  Argus, from v
>0.9-2.x,
>has tried very hard to determine the originator of a flow, so that
>for
>protocols such as UDP/TCP, the destination port number would
>represent
>the actual service port number of the flow.  This has worked well,
>in
>both
>symmetric and asymmetric routing networks, but it can be fooled by
>stealthy scan methods (TCP syn_ack and some rare RST
>scans can be reported to be going in the opposite direction).
>
>Before 3.0, Argus would try to do the directionality, but in 3.0,
>we're
>shifting that responsibility to the clients.  The goal is to make
>Argus
>less complex and accurate for what it observes (rather than what
>it think it observes), which should enable the client the
>flexibility to
>"correct" the direction if the user wants that functionality (that
>will
>be the default).  The concept is that argus will tell you what was
>on
>the wire, with enough additional information so that the clients
>can
>figure out what it really means, if anything.
>
>In our testing, we're close, and I'm working on fixing a bug that
>Peter
>noticed.  Once we're done, Argus 3.0 should be considered more
>accurate than Argus 2.x.
>
>If you'd like more detail on how the directionality is reported,
>send
>email and I'll try to fill in the gaps.
>
>Carter
>
>
>
>On Sep 8, 2006, at 9:47 AM, Earl wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> Is there any info available anywhere or can someone point out
>> changes (if any) in the 3.x branch over the 2.x branch of the
>logic
>> argus utilizes to determin directionality?
>>
>> Thanks.
>>
>> Earl
>> -----BEGIN PGP SIGNATURE-----
>> Note: This signature can be verified at
>https://www.hushtools.com/
>> verify
>> Version: Hush 2.5
>>
>>
>wkYEARECAAYFAkUBfmwACgkQk7+e+4lPSm38xACeLd8gWk+sdVZMba56aKFNa957fHY
>A
>> n0x6vOEzrw8WkjYuM4fpU1ftOV2M
>> =vewB
>> -----END PGP SIGNATURE-----
>>
>>
>>
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wkYEARECAAYFAkUDOQYACgkQk7+e+4lPSm38jQCdEVb1UMRcnLoElzOlXv2/P1xjMFAA
n2y1DwpuQVNhVvC2YiOu8KpdaBTd
=SUlI
-----END PGP SIGNATURE-----