Argus-info Digest, Vol 22, Issue 10
CS Lee
geek00l at gmail.com
Wed Jun 13 03:35:32 EDT 2007
Carter,
Correct! Our setup is argus -> radium -> rasplit.
Same here.
On 6/13/07, argus-info-request at lists.andrew.cmu.edu <
argus-info-request at lists.andrew.cmu.edu> wrote:
>
> Send Argus-info mailing list submissions to
> argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
> argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
> argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
> 1. Re: rasplit issue (Wolfgang Barth)
> 2. Re: rasplit issue (Carter Bullard)
> 3. AusCERT talk regarding how we use Argus (MN)
> 4. Re: AusCERT talk regarding how we use Argus (Carter Bullard)
> 5. Re: [radium] permission denied when radium is running as
> non-root (Carter Bullard)
> 6. flows with stime is zero (Carter Bullard)
> 7. Re: flows with stime is zero (Robin Gruyters)
> 8. Re: [radium] permission denied when radium is running as
> non-root (Robin Gruyters)
> 9. Re: Rmon and output to database (e.g. mysql format)
> (Robert Leyba)
> 10. Re: Rmon and output to database (e.g. mysql format)
> (mel at hackinthebox.org)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 8 Jun 2007 18:08:09 +0200
> From: wob at swobspace.de (Wolfgang Barth)
> Subject: Re: [ARGUS] rasplit issue
> To: Carter Bullard <carter at qosient.com>
> Cc: argus-info at lists.andrew.cmu.edu
> Message-ID: <20070608160809.GA9450 at swobspace.swobspace.de>
> Content-Type: text/plain; charset=us-ascii
>
> On Fri, Jun 08, 2007 at 10:58:06AM -0400, Carter Bullard wrote:
> > This should have been fixed about 4 weeks ago. Is everyone running
> > the latest?
> > If so, I'll try to have rasplit() just keep on trucking rather than
> > stopping, although
> > this is an indication that we may be off in parsing.
>
> Yes, rc.44 from 2007-05-18 and same with rc.44 from 2007-05-23.
>
> Wolfgang
> --
> <wob (at) swobspace de> * http://www.swobspace.de
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 8 Jun 2007 13:37:53 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] rasplit issue
> To: wob at swobspace.de
> Cc: argus-info at lists.andrew.cmu.edu
> Message-ID: <5D5E5A37-AADE-41C2-A7A5-383FC4855C8C at qosient.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> Any chance these are 64-bit machines?
> Carter
>
> On Jun 8, 2007, at 12:08 PM, Wolfgang Barth wrote:
>
> > On Fri, Jun 08, 2007 at 10:58:06AM -0400, Carter Bullard wrote:
> >> This should have been fixed about 4 weeks ago. Is everyone running
> >> the latest?
> >> If so, I'll try to have rasplit() just keep on trucking rather than
> >> stopping, although
> >> this is an indication that we may be off in parsing.
> >
> > Yes, rc.44 from 2007-05-18 and same with rc.44 from 2007-05-23.
> >
> > Wolfgang
> > --
> > <wob (at) swobspace de> * http://www.swobspace.de
> >
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 8 Jun 2007 18:42:17 -0700
> From: MN <m.newton at stanford.edu>
> Subject: [ARGUS] AusCERT talk regarding how we use Argus
> To: argus-info at lists.andrew.cmu.edu
> Message-ID: <20070609014217.GL7686 at chaotic.Stanford.EDU>
> Content-Type: text/plain; charset=us-ascii
>
>
> I've posted the slides from my AusCERT 2007 talk on how we have
> been using Arugs and several interesting graphs. They are at:
>
> http://www.stanford.edu/~mnewton/AusCERT/
>
> The graphs are mostly near the end of the .pdf file.
>
> Thanks to the AusCERT team for putting on a great conference and
> to Carter for Argus.
>
> - mike
>
>
>
> ------------------------------
>
> Message: 4
> Date: Sun, 10 Jun 2007 22:41:31 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] AusCERT talk regarding how we use Argus
> To: MN <m.newton at stanford.edu>
> Cc: argus-info at lists.andrew.cmu.edu
> Message-ID: <8AA71208-7D1F-4AAF-AD45-87EE052863FC at qosient.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> Very cool!!! I'm interested in the port-port and firewall slides as
> I haven't seen this type of log-log graph before, and it does a
> great job!!!
>
> You say the bogus flows and real flows are hard to disambiguate.
> Lets work on that!!!
>
> Carter
>
> On Jun 8, 2007, at 9:42 PM, MN wrote:
>
> >
> > I've posted the slides from my AusCERT 2007 talk on how we have
> > been using Arugs and several interesting graphs. They are at:
> >
> > http://www.stanford.edu/~mnewton/AusCERT/
> >
> > The graphs are mostly near the end of the .pdf file.
> >
> > Thanks to the AusCERT team for putting on a great conference and
> > to Carter for Argus.
> >
> > - mike
> >
> >
>
>
> ------------------------------
>
> Message: 5
> Date: Sun, 10 Jun 2007 22:43:06 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] [radium] permission denied when radium is running
> as non-root
> To: Robin Gruyters <r.gruyters at yirdis.nl>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <B8B3E1C8-0D91-465F-A165-1AD541FA8005 at qosient.com>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>
> Hey Robin,
> I put up new argus and client code sets, which fix this problem.
> There are man page fixes and some documentation updates,
> getting ready for release.
>
> Please give radium a test to see if it fixes your problems.
>
> Carter
>
>
>
> On Jun 7, 2007, at 4:48 AM, Robin Gruyters wrote:
>
> > Hello,
> >
> > I'm trying to run Radium under a non-root user and writing the
> > output to a file.
> >
> > Just before the process get spawned to non-root user, it creates
> > the file with root owner and stops. (due to permission denied)
> >
> > # ls -ld /nsm/argus
> > drwxr-x--- 2 sguil wheel 512 Jun 7 10:30 /nsm/argus
> > # ls -l /nsm/argus/test.argus
> > ls: /nsm/argus/test.argus: No such file or directory
> > # /usr/local/sbin/radium
> > Starting radium.
> > radium[51234]: 10:44:52.796318 started
> > # ps ax|grep radium | grep -v radium
> > #
> > # grep radium /var/log/all.log
> > Jun 7 10:44:31 nsm-01 radium[51219]: 10:44:31.013046
> > ArgusInitOutput: open /nsm/argus/test.argus: Permission denied
> > Jun 7 10:44:31 nsm-01 radium[51219]: 10:44:31.012525 started
> > # ls -l /nsm/argus/test.argus
> > -rw-r--r-- 1 root wheel 0 Jun 7 10:44 /nsm/argus/test.argus
> > #
> >
> > Here is my test radium.conf file:
> > RADIUM_DAEMON=yes
> > #
> > RADIUM_MAR_STATUS_INTERVAL=60
> > #
> > RADIUM_ARGUS_SERVER=localhost:5611
> > RADIUM_ARGUS_SERVER=localhost:5612
> > #
> > RADIUM_OUTPUT_FILE=/nsm/argus/test.argus
> > #
> > RADIUM_SET_PID=yes
> > RADIUM_PID_PATH=/var/run/nsm
> > #
> > RADIUM_SETUSER_ID="sguil"
> > RADIUM_SETGROUP_ID="sguil"
> >
> > Kind regards,
> >
> > Robin Gruyters
> > Network and Security Engineer
> > Yirdis B.V.
> > I: http://yirdis.com
> > P: +31 (0)36 5300394
> > F: +31 (0)36 5489119
> >
> >
> >
> >
>
>
> ------------------------------
>
> Message: 6
> Date: Sun, 10 Jun 2007 22:48:58 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: [ARGUS] flows with stime is zero
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <33412BC1-76B4-45BE-88F1-AF9A7315309E at qosient.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> Gentle people,
> Getting records with an stime of zero seems to be an issue
> with argus -> radium -> rasplit/rastream, suggesting that the
> culprit maybe radium().
>
> For those reporting this issue, is this the configuration that you
> are working with, or does it seem to also exist with argus -> ra*?
>
> Carter
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 11 Jun 2007 19:01:16 +0200
> From: Robin Gruyters <r.gruyters at yirdis.nl>
> Subject: Re: [ARGUS] flows with stime is zero
> To: Carter Bullard <carter at qosient.com>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <20070611170116.GA6130 at server.yirdis.net>
> Content-Type: text/plain; charset="us-ascii"
>
> On Sun, Jun 10, 2007 at 10:48:58PM -0400, Carter Bullard wrote:
> > Gentle people,
> > Getting records with an stime of zero seems to be an issue
> > with argus -> radium -> rasplit/rastream, suggesting that the
> > culprit maybe radium().
> >
> > For those reporting this issue, is this the configuration that you
> > are working with, or does it seem to also exist with argus -> ra*?
> >
> Correct! Our setup is argus -> radium -> rasplit.
>
> Regards,
>
> --
> Robin Gruyters
> Network and Security Engineer
> Yirdis B.V.
> I: http://yirdis.com
> P: +31 (0)36 5300394
> F: +31 (0)36 5489119
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 187 bytes
> Desc: not available
> Url :
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20070611/73d93a0d/attachment-0001.bin
>
> ------------------------------
>
> Message: 8
> Date: Mon, 11 Jun 2007 19:02:42 +0200
> From: Robin Gruyters <r.gruyters at yirdis.nl>
> Subject: Re: [ARGUS] [radium] permission denied when radium is running
> as non-root
> To: Carter Bullard <carter at qosient.com>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <20070611170242.GB6130 at server.yirdis.net>
> Content-Type: text/plain; charset="us-ascii"
>
> On Sun, Jun 10, 2007 at 10:43:06PM -0400, Carter Bullard wrote:
> > Hey Robin,
> > I put up new argus and client code sets, which fix this problem.
> > There are man page fixes and some documentation updates,
> > getting ready for release.
> >
> > Please give radium a test to see if it fixes your problems.
> >
> I will, ones I'm backup from my Holiday. ;)
> I supose to be on Holiday now, but I can't resist to check my email ;)
>
> Regards,
> --
> Robin Gruyters
> Network and Security Engineer
> Yirdis B.V.
> I: http://yirdis.com
> P: +31 (0)36 5300394
> F: +31 (0)36 5489119
>
> > Carter
> >
> >
> >
> > On Jun 7, 2007, at 4:48 AM, Robin Gruyters wrote:
> >
> > >Hello,
> > >
> > >I'm trying to run Radium under a non-root user and writing the
> > >output to a file.
> > >
> > >Just before the process get spawned to non-root user, it creates
> > >the file with root owner and stops. (due to permission denied)
> > >
> > ># ls -ld /nsm/argus
> > >drwxr-x--- 2 sguil wheel 512 Jun 7 10:30 /nsm/argus
> > ># ls -l /nsm/argus/test.argus
> > >ls: /nsm/argus/test.argus: No such file or directory
> > ># /usr/local/sbin/radium
> > >Starting radium.
> > >radium[51234]: 10:44:52.796318 started
> > ># ps ax|grep radium | grep -v radium
> > >#
> > ># grep radium /var/log/all.log
> > >Jun 7 10:44:31 nsm-01 radium[51219]: 10:44:31.013046
> > >ArgusInitOutput: open /nsm/argus/test.argus: Permission denied
> > >Jun 7 10:44:31 nsm-01 radium[51219]: 10:44:31.012525 started
> > ># ls -l /nsm/argus/test.argus
> > >-rw-r--r-- 1 root wheel 0 Jun 7 10:44 /nsm/argus/test.argus
> > >#
> > >
> > >Here is my test radium.conf file:
> > >RADIUM_DAEMON=yes
> > >#
> > >RADIUM_MAR_STATUS_INTERVAL=60
> > >#
> > >RADIUM_ARGUS_SERVER=localhost:5611
> > >RADIUM_ARGUS_SERVER=localhost:5612
> > >#
> > >RADIUM_OUTPUT_FILE=/nsm/argus/test.argus
> > >#
> > >RADIUM_SET_PID=yes
> > >RADIUM_PID_PATH=/var/run/nsm
> > >#
> > >RADIUM_SETUSER_ID="sguil"
> > >RADIUM_SETGROUP_ID="sguil"
> > >
> > >Kind regards,
> > >
> > >Robin Gruyters
> > >Network and Security Engineer
> > >Yirdis B.V.
> > >I: http://yirdis.com
> > >P: +31 (0)36 5300394
> > >F: +31 (0)36 5489119
> > >
> > >
> > >
> > >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 187 bytes
> Desc: not available
> Url :
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20070611/b4f51328/attachment-0001.bin
>
> ------------------------------
>
> Message: 9
> Date: Wed, 13 Jun 2007 05:31:49 +0000 (UTC)
> From: Robert Leyba <r_leyba14 at yahoo.com>
> Subject: Re: [ARGUS] Rmon and output to database (e.g. mysql format)
> To: argus-info at lists.andrew.cmu.edu
> Message-ID: <loom.20070613T072753-405 at post.gmane.org>
> Content-Type: text/plain; charset=us-ascii
>
> well....once the Argus data is sent to a MySQL database, the ability so
> slice
> and dice the raw data and be able to *data mine* useful patterns, trends,
> stats,
> etc. from it will be almost limitless!
>
> Thanks...
>
> --robert
>
>
>
> ------------------------------
>
> Message: 10
> Date: Wed, 13 Jun 2007 15:17:01 +0800 (MYT)
> From: mel at hackinthebox.org
> Subject: Re: [ARGUS] Rmon and output to database (e.g. mysql format)
> To: argus-info at lists.andrew.cmu.edu
> Message-ID:
> <64315.216.115.162.100.1181719021.squirrel at mail.hackinthebox.org>
> Content-Type: text/plain;charset=iso-8859-1
>
> Hi Carter,
>
> Do you have a doc of Argus 3.0 XML format?
>
> I'm thinking, one way to do this is to convert Argus data to XML and then
> parse the XML and insert them to the database.
>
> --mel
>
> > well....once the Argus data is sent to a MySQL database, the ability so
> > slice
> > and dice the raw data and be able to *data mine* useful patterns,
> trends,
> > stats,
> > etc. from it will be almost limitless!
> >
> > Thanks...
> >
> > --robert
> >
> >
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 22, Issue 10
> ******************************************
>
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070613/954c4b53/attachment.html>
More information about the argus
mailing list