Argus-info Digest, Vol 28, Issue 7

[Terry Burton]

On Dec 12, 2007 2:21 PM, CS Lee <geek00l at gmail.com> wrote:
> From what I understand, the con filter is used to filter all the connected
> tcp connection. Therefore if you are using filter -
>
> not tcp and con
>
> This warning message is exactly right -
>
>  ArgusFilterCompile: expression rejects all records
>
> Because con is filter for tcp proto only, and if it is not tcp then you will
> get the filter expression rejects all records because none of them matching.
> Carter will have better explanation if he is around.

Hi,

I believe that Esteban is referring a post made in April:

| From: carter at qosient.com (Carter Bullard)
| Date: Tue Apr 17 09:25:51 2007
| <...snip...>
| To start you will need, IMHO, a list of servers, which implies
| a list of services.  I have found it reasonable to use rasplit()
| for this function:
|
| rasplit -R data -M time 1d -w
servers/\$daddr/argus.%Y.%m.%d.%H.%M.%S - \( tcp and syn and synack \)
or \( not tcp and con \)
|
| This will generate a set of data where all the servers are in a single
| directory, broken down by day.  The ( tcp and ... ) filter will give
| you 'correct' tcp flows, so you can start building your client/server
| data.  The ( not tcp ... ) filter will give you all the other protocols,
| udp, arp, whatever, where there is a response, which is very
| important to understanding if there really is a service.  You can
| be much more clever and have additional filters for multicast
| data, etc...., but this is a good starting point.
| <...snip...>

Perhaps the "not tcp and con" test to catch established non-TCP
connections was never tested? I too would be very interested to find
out if there is a BPF-style filter to find these non-connection
orientated two-way connections, as I would like to maintain a log
connections in the following structure:

.../argus/byhost/%Y-%m-%d/\$daddr/\$proto-\$dport/%H:%M:%S.arg


Warm regards,

Tez