Fwd: Fwd: BPF filter in Argus 2.0.5

Kjell Tore Fossbakk kjelltore at gmail.com
Fri Apr 25 08:36:42 EDT 2008 

Yes.. I suck on using mailing lists :-)

---------- Forwarded message ----------
From: Kjell Tore Fossbakk <kjelltore at gmail.com>
Date: Fri, Apr 25, 2008 at 1:42 PM
Subject: Re: [ARGUS] Fwd: BPF filter in Argus 2.0.5
To: Carter Bullard <carter at qosient.com>


Hello mr Bullard.

Thank you for your quick reply!

I will eventually stop using 2.x and start using 3.x, but not quite yet. I
have written a system which imports the output from argus to a database. I
have not tested 3.x yet, and do not know if it will work to just replace the
system with 3.x, or if I need to rewrite some of the code. I am aware that
there has been talks about DB implementation into Argus in the 3.x system,
but I havent followed up the mailing lists enough to know if this has been
done or not.

I will now try to unescape the filter settings, as mr Rebollo also
suggested.

Cheers,
Kjell Tore Fossbakk


On Fri, Apr 25, 2008 at 1:36 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Kjell Tore Fossbakk,Argus uses the filter parser from libpcap for its
> packet filtering, the
> same as tcpdump, so the syntax should be identical.  Problems I've
> encountered usually come from the shell, so try the \( and \) and
> see if that doesn't help.
>
>    argus -i -w output -c -d ip and not port \( 80 or 443\)
>
> Argus supports the -b option so you can printout  the filter's
> bytecode to see what maybe up.
>
> Also, try argus-3.0.0 from the web site
> http://qosient.com/argus/downloads,
> it may not be so onerous.  We've pretty much stopped talking about
> argus-2.x, but the two versions should behave the same with regard to
> input filters.
>
> Carter
>
> % argus -Xb - ip and not port \(80 or 443\)
> (000) ldh      [12]
> (001) jeq      #0x800           jt 2 jf 16
> (002) ldb      [23]
> (003) jeq      #0x84            jt 6 jf 4
> (004) jeq      #0x6             jt 6 jf 5
> (005) jeq      #0x11            jt 6 jf 15
> (006) ldh      [20]
> (007) jset     #0x1fff          jt 15 jf 8
> (008) ldxb     4*([14]&0xf)
> (009) ldh      [x + 14]
> (010) jeq      #0x50            jt 16 jf 11
> (011) jeq      #0x1bb           jt 16 jf 12
> (012) ldh      [x + 16]
> (013) jeq      #0x50            jt 16 jf 14
> (014) jeq      #0x1bb           jt 16 jf 15
> (015) ret      #96
> (016) ret      #0
>
>
>
>
> On Apr 25, 2008, at 7:01 AM, Kjell Tore Fossbakk wrote:
>
> Hello Mr Rebollo.
>
> There is "and not port X", should that give you a exclusion of port X?
> (atleast that's how i write BPF filters in tcpdump).
>
> I have not tested with unescaping the brackets. I'll try that!
>
> Thanks,
> Kjell Tore Fossbakk
>
> On Fri, Apr 25, 2008 at 12:17 PM, Pablo J. Rebollo-Sosa <
> Pablo.Rebollo at ece.uprm.edu> wrote:
>
>> Kjell,
>>
>> You can try "not port \( 443 or 80 \)".  You can't use "and" because both
>> conditions need to be true.
>>
>> Regards,
>>
>> Pablo J. Rebollo
>>
>> Kjell Tore Fossbakk wrote:
>>
>>> Sent to the wrong address.
>>>
>>> ---------- Forwarded message ----------
>>> From: *Kjell Tore Fossbakk* <kjelltore at gmail.com <mailto:
>>> kjelltore at gmail.com>>
>>> Date: Fri, Apr 25, 2008 at 10:33 AM
>>> Subject: Fwd: BPF filter in Argus 2.0.5
>>> To: carter at qosient.com <mailto:carter at qosient.com>
>>>
>>>
>>> Hello again.
>>>
>>> As of now im using tcpdump to write to a fifo filepointer, and using
>>> argus with option -r to read from that fifo. Then I am able to filter out
>>> port 80 and port 443, but surely there is a better way of doing this?
>>>
>>> Cheers,
>>> Kjell Tore Fossbakk
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *Kjell Tore Fossbakk* <kjelltore at gmail.com <mailto:
>>> kjelltore at gmail.com>>
>>> Date: Fri, Apr 25, 2008 at 9:49 AM
>>> Subject: BPF filter in Argus 2.0.5
>>> To: carter at qosient.com <mailto:carter at qosient.com>
>>>
>>>
>>> Hello Mr Carter.
>>>
>>> I'm running Argus Version 2.0.5, and im trying to exclude port 80 and
>>> port 443 from my  Argus sessions due to the massive amounts of sessions they
>>> generate.
>>>
>>> I start argus by running:
>>>
>>> argus -i <interface> -w output -c -d ip and !(port 80 or port 443)
>>> argus -i <interface> -w output -c -d ip and not port 80 and not port 443
>>> argus -i <interface> -w output -c -d - ip and !(port 80 or port 443)
>>> argus -i <interface> -w output -c -d - ip and not port 80 and not port
>>> 443
>>>
>>> Neither of the commands above excludes port 80 and/or port 443 from my
>>> output file.
>>>
>>> Do you have any idea why this does not work?
>>>
>>> Cheers,
>>> Kjell Tore Fossbakk
>>>
>>
>
>


-- 

Social Engineering Specialist
- Because there's no patch for Human Stupidity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080425/ac821e40/attachment.html>

More information about the argus mailing list