Argus - Anomaly Detection
carter at qosient.com
carter at qosient.com
Sat Sep 23 19:02:06 EDT 2006
Hey CS,
Yes, argus provides a lot of data that can be useful. With any ip record, you can printout the "sipid" and "dipid" and there is the "stcpb" and "dtcpb" for the src and dst tcp base sequence numbers. The is more info, of course, so if you have a specific value that you need, if we don't have it, we can always add it.
Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-----Original Message-----
From: "CS Lee" <geek00l at gmail.com>
Date: Sat, 23 Sep 2006 23:08:09
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] Argus - Anomaly Detection
Hi all,
Does argus includes ipid and seq numbers in its flow data as well, I had seen some neat codes on using tcp header and ip header for channel coverting. Or does anyone has done this kind of detection using argus and would like to share about it, such as building the profile of certain OS on its IPID and Seq Num Implementation to detect abnormal traffics. It would be good to share since this kind of traffics can't be detected via payloads but header wise.
Cheers.
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
More information about the argus
mailing list