Fwd: BPF filter in Argus 2.0.5

Carter Bullard carter at qosient.com
Fri Apr 25 07:36:40 EDT 2008 

Hey Kjell Tore Fossbakk,
Argus uses the filter parser from libpcap for its packet filtering, the
same as tcpdump, so the syntax should be identical.  Problems I've
encountered usually come from the shell, so try the \( and \) and
see if that doesn't help.

    argus -i -w output -c -d ip and not port \( 80 or 443\)

Argus supports the -b option so you can printout  the filter's
bytecode to see what maybe up.

Also, try argus-3.0.0 from the web site  http://qosient.com/argus/downloads 
,
it may not be so onerous.  We've pretty much stopped talking about
argus-2.x, but the two versions should behave the same with regard to
input filters.

Carter

% argus -Xb - ip and not port \(80 or 443\)
(000) ldh      [12]
(001) jeq      #0x800           jt 2	jf 16
(002) ldb      [23]
(003) jeq      #0x84            jt 6	jf 4
(004) jeq      #0x6             jt 6	jf 5
(005) jeq      #0x11            jt 6	jf 15
(006) ldh      [20]
(007) jset     #0x1fff          jt 15	jf 8
(008) ldxb     4*([14]&0xf)
(009) ldh      [x + 14]
(010) jeq      #0x50            jt 16	jf 11
(011) jeq      #0x1bb           jt 16	jf 12
(012) ldh      [x + 16]
(013) jeq      #0x50            jt 16	jf 14
(014) jeq      #0x1bb           jt 16	jf 15
(015) ret      #96
(016) ret      #0




On Apr 25, 2008, at 7:01 AM, Kjell Tore Fossbakk wrote:

> Hello Mr Rebollo.
>
> There is "and not port X", should that give you a exclusion of port  
> X? (atleast that's how i write BPF filters in tcpdump).
>
> I have not tested with unescaping the brackets. I'll try that!
>
> Thanks,
> Kjell Tore Fossbakk
>
> On Fri, Apr 25, 2008 at 12:17 PM, Pablo J. Rebollo-Sosa <Pablo.Rebollo at ece.uprm.edu 
> > wrote:
> Kjell,
>
> You can try "not port \( 443 or 80 \)".  You can't use "and" because  
> both conditions need to be true.
>
> Regards,
>
> Pablo J. Rebollo
>
> Kjell Tore Fossbakk wrote:
> Sent to the wrong address.
>
> ---------- Forwarded message ----------
> From: *Kjell Tore Fossbakk* <kjelltore at gmail.com <mailto:kjelltore at gmail.com 
> >>
> Date: Fri, Apr 25, 2008 at 10:33 AM
> Subject: Fwd: BPF filter in Argus 2.0.5
> To: carter at qosient.com <mailto:carter at qosient.com>
>
>
> Hello again.
>
> As of now im using tcpdump to write to a fifo filepointer, and using  
> argus with option -r to read from that fifo. Then I am able to  
> filter out port 80 and port 443, but surely there is a better way of  
> doing this?
>
> Cheers,
> Kjell Tore Fossbakk
>
>
> ---------- Forwarded message ----------
> From: *Kjell Tore Fossbakk* <kjelltore at gmail.com <mailto:kjelltore at gmail.com 
> >>
> Date: Fri, Apr 25, 2008 at 9:49 AM
> Subject: BPF filter in Argus 2.0.5
> To: carter at qosient.com <mailto:carter at qosient.com>
>
>
> Hello Mr Carter.
>
> I'm running Argus Version 2.0.5, and im trying to exclude port 80  
> and port 443 from my  Argus sessions due to the massive amounts of  
> sessions they generate.
>
> I start argus by running:
>
> argus -i <interface> -w output -c -d ip and !(port 80 or port 443)
> argus -i <interface> -w output -c -d ip and not port 80 and not port  
> 443
> argus -i <interface> -w output -c -d - ip and !(port 80 or port 443)
> argus -i <interface> -w output -c -d - ip and not port 80 and not  
> port 443
>
> Neither of the commands above excludes port 80 and/or port 443 from  
> my output file.
>
> Do you have any idea why this does not work?
>
> Cheers,
> Kjell Tore Fossbakk
>
>
>
> -- 
>
> Social Engineering Specialist
> - Because there's no patch for Human Stupidity

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080425/3e6a023c/attachment.html>

More information about the argus mailing list