Graph of the Week at http://qosient.com/argus

[carter at qosient.com]

Hey Richard, et al,
Why doesn't squil eat Argus records yet ;o)

So I have an argus client that reads snort configuration files and formulates the strategies, but haven't had the time to put the last part to it, the offset bytes comparisons.  I left that because it looked to be the easiest, and so fell to the bottom of the heap.  

Anyone care to take it and finish the job?  Argus data can easily drive snort filters, except for the deep packet tests looking for 'root' and things like that, so should be a no brainer!

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: "Richard Bejtlich" <taosecurity at gmail.com>
Date: Thu, 14 Sep 2006 09:25:31 
To:"Olaf Gellert" <olaf.gellert at intrusion-lab.net>
Cc:Argus <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Graph of the Week at http://qosient.com/argus

On 9/14/06, Olaf Gellert <olaf.gellert at intrusion-lab.net> wrote:
> With prelude we collect SNORT data and ARGUS data
> so we can match them. This is pretty handy: For every alert from
> snort (which only lists the contents of the packet that raised the
> alert) we get additional data from argus (packet and byte count
> of the connection, start and end time of the connection). And of
> course we are especially interested in evaluating those argus
> records that have not raised a snort alert but look fishy (that gives
> way to anomaly detection). But this is still unfinished work.
>

Hi Olaf,

If you like that you should try Sguil (www.sguil.net).

While we don't support Argus records natively yet, we're looking at an
API for arbitrary data sources, like Argus (probably for Sguil 2.0).

Sincerely,

Richard