another 'how do I do this' post!

Nick Diel nick at engineerity.com
Thu Apr 24 01:18:59 EDT 2008


Stewart,

You need to use the -m option.  This tells racluster what to merge on.  If I
understand what you want you should try:

who x.x.x.x talks to
racluster -nr file.arg -m daddr proto dport -s saddr daddr proto dport - src
host x.x.x.x

who talks to x.x.x.x
racluster -nr file.arg -m saddr proto dport -s saddr daddr proto dport - dst
host x.x.x.x

Nick

On Wed, Apr 23, 2008 at 9:17 PM, Stewart Gray <Stewart.Gray at safecom.co.nz>
wrote:

>  Hey guys,
>
> I'm wanting to show a list of hosts that x.x.x.x has talked to, and on
> what ports. On the flipside, I also wan't to see what hosts have talked to
> that same host. I'm on the right track with 'racluster -r file.arg -n -s
> saddr daddr proto dport - host x.x.x.x' but this shows duplicate entries for
> the same communication, do I need to use rasort as well to get it to
> summarise some of the information?
>
> I don't wan't to see the below communication 4 times for example, i'd
> prefer it to be summarised as one entry.
>
>    192.168.0.1       192.168.10.5    tcp 1050
>    192.168.0.1       192.168.10.5    tcp 1050
>    192.168.0.1       192.168.10.5    tcp 1050
>    192.168.0.1       192.168.10.5    tcp 1050
>
> I'm looking to locking down a firewall policy for a particular host and
> I'd like to know what it currently communicates with.
>
> I'll add the command needed to the wiki.
>
> Cheers,
>
> Stew
>
>
>
> #####################################################################################
> Important: This electronic message and attachments (if any) are
> confidential and may be legally privileged. If you are not the intended
> recipient do not copy, disclose or use the contents in any way. Please let
> us know by return e-mail immediately and then destroy this message.
>
> #####################################################################################
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080423/6990925e/attachment.html>


More information about the argus mailing list