Argus-info Digest, Vol 28, Issue 7
CS Lee
geek00l at gmail.com
Wed Dec 12 09:21:47 EST 2007
Hi Esteban,
>From what I understand, the con filter is used to filter all the connected
tcp connection. Therefore if you are using filter -
not tcp and con
This warning message is exactly right -
ArgusFilterCompile: expression rejects all records
Because con is filter for tcp proto only, and if it is not tcp then you will
get the filter expression rejects all records because none of them matching.
Carter will have better explanation if he is around.
Cheers ;]
On Dec 12, 2007 1:00 AM, <argus-info-request at lists.andrew.cmu.edu> wrote:
> Send Argus-info mailing list submissions to
> argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
> argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
> argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
> 1. Re: Omitting data with dir = <?> (Esteban G)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 10 Dec 2007 13:58:15 -0800
> From: "Esteban G" <infoape at gmail.com>
> Subject: Re: [ARGUS] Omitting data with dir = <?>
> To: argus-info at lists.andrew.cmu.edu
> Message-ID:
> <f3bf2a990712101358h5a04f747qac68d0867bdc5e54 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On a related question. Sometime ago you provided the following command
> line as an example for splitting out the servers observed by a sensor
> into directories based on IP:
> rasplit -R data -M time 1d -w servers/\$daddr/argus.%Y.%m.%d.%H.%M.%S \
> - \( tcp and syn and synack \) or \( not tcp and con \)
>
> When I do this, the output is really nice. However, I am only seeing
> the tcp traffic and nothing from the "(not tcp and con)" filter. When
> I run ra -n -r <data> - "(not tcp and con)". I get the complaint:
> ArgusFilterCompile: expression rejects all records
>
>
> -Esteban
>
>
> On 12/3/07, Carter Bullard <carter at qosient.com> wrote:
> > Hey Wolfgang,
> > The ? is caused by not seeing the tcp syn or synack, so ...
> >
> > -- (syn or synack) or not tcp
> >
> > Should do the trick.
> >
> > Carter
> >
> >
> > Carter Bullard
> > QoSient LLC
> > 150 E. 57th Street Suite 12D
> > New York, New York 10022
> > +1 212 588-9133 Phone
> > +1 212 588-9134 Fax
> >
> > -----Original Message-----
> > From: wob at swobspace.de (Wolfgang Barth)
> >
> > Date: Fri, 30 Nov 2007 17:45:21
> > To:argus-info at lists.andrew.cmu.edu
> > Subject: [ARGUS] Omitting data with dir = <?>
> >
> >
> > Hi,
> >
> > I want to omit records with unknown direction (dir = <?>). How can I
> filter
> > out such records with ra?
> >
> > Wolfgang
> > --
> > <wob (at) swobspace de> * http://www.swobspace.de
> >
> >
> >
>
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 28, Issue 7
> *****************************************
>
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071212/eb652d1f/attachment.html>
More information about the argus
mailing list