another 'how do I do this' post!

Carter Bullard carter at qosient.com
Thu Apr 24 08:38:03 EDT 2008 

Hey Stewart,
You are getting duplicates because  the aggregated flows the racluster()
generates have different source port numbers.  We need to wildcard
some of the fields in the flow records to get just the information  
you're
looking for.

If you are interested only in IP addresses, and you don't care about
who is client and who is the server, or the service, then try:

    racluster -m matrix

This results in all A->B and B->A connections to be reported as A->B,
where A is numerically < (less than) B.

If you're interested in only the class-C address matrix, you can do  
this:

    racluster -m matrix/24

If you are interested in only the IP addresses and the direction of the
communication, pipe the output of your first racluster(), which gets all
the standard flows merged, into another racluster() to wildcard.

    racluster -r file -w - | racluster -m saddr daddr

The first racluster() gets the direction for all the flows right, and  
the
second then does the wildcarding.

If you are interested in the service, which means that direction is  
important,
then add the proto and the dport.

    racluster -r file -w - | racluster -m saddr daddr proto dport

And if you are getting your data from multiple argus probes or netflow
sources, be sure and keep the source identifier in the mix.

    racluster -r file -w - | racluster -m srcid saddr daddr proto dport

This last incantation is really only throwing away the source port  
(sport),
so you will get the all transactions between A -> B going to a  
particular
service port (the destination port of initiating packet).

If you want to know the source class-B networks that are initiating
communication with machines in your network (assuming you are a
class C like network 1.2.3.0), and you want to see the service they
are requesting, try this type of call.

    racluster -r file -w - | racluster -m srcid/16 daddr proto dport -  
dst net 1.2.3.0/24

If you get a lot of dst ports that are above 30,000, you may have ftp  
data
connections, or peer-to-peer connections on the wire, and so a
racluster.conf file is needed towildcard them correctly, but it is  
easily done.


Hopefully this is helpful,

Carter


On Apr 24, 2008, at 1:18 AM, Nick Diel wrote:

> Stewart,
>
> You need to use the -m option.  This tells racluster what to merge  
> on.  If I understand what you want you should try:
>
> who x.x.x.x talks to
> racluster -nr file.arg -m daddr proto dport -s saddr daddr proto  
> dport - src host x.x.x.x
>
> who talks to x.x.x.x
> racluster -nr file.arg -m saddr proto dport -s saddr daddr proto  
> dport - dst host x.x.x.x
>
> Nick
>
> On Wed, Apr 23, 2008 at 9:17 PM, Stewart Gray <Stewart.Gray at safecom.co.nz 
> > wrote:
> Hey guys,
>
> I'm wanting to show a list of hosts that x.x.x.x has talked to, and  
> on what ports. On the flipside, I also wan't to see what hosts have  
> talked to that same host. I'm on the right track with 'racluster -r  
> file.arg -n -s saddr daddr proto dport - host x.x.x.x' but this  
> shows duplicate entries for the same communication, do I need to use  
> rasort as well to get it to summarise some of the information?
>
> I don't wan't to see the below communication 4 times for example,  
> i'd prefer it to be summarised as one entry.
>
>    192.168.0.1       192.168.10.5    tcp 1050
>    192.168.0.1       192.168.10.5    tcp 1050
>    192.168.0.1       192.168.10.5    tcp 1050
>    192.168.0.1       192.168.10.5    tcp 1050
>
> I'm looking to locking down a firewall policy for a particular host  
> and I'd like to know what it currently communicates with.
>
> I'll add the command needed to the wiki.
>
> Cheers,
>
> Stew
>
>
> #####################################################################################
> Important: This electronic message and attachments (if any) are  
> confidential and may be legally privileged. If you are not the  
> intended recipient do not copy, disclose or use the contents in any  
> way. Please let us know by return e-mail immediately and then  
> destroy this message.
> #####################################################################################
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080424/555c779a/attachment.html>

More information about the argus mailing list