Some useful Argus scripts for detecting traffic anomalies in ranges of data

Carter Bullard carter at qosient.com
Sat Feb 9 10:59:29 EST 2008


Hey Terry,
These are great!!!  Simple and are doing a very specific job.
We will have a ./contrib directory in the distribution, and as long
as the code can be released under a GNU license (that's what
argus is distributed under) then all is cool.

What I would like is discussion on what is the intent/goal, so we can
know if there are faster, more efficient ways of getting these numbers.
Is this something that would lend itself to near realtime alert and
alarming, is there any opportunity for persistent intermediate data
to be available in realtime for high performance streams processing!!!!

Best example is the arg_scan_hit_darkhost().  The $AUTH_IP_FILE is
intermediate data of the active IP addresses.  We can have other scripts
that generate and maintain a near realtime list of the "lit" net.
But because there are two a racluster() calls, this won't be a  
strategy for
near realtime stream processing because it buffers data.

But, you're really using racluster() to modify the flow model of the  
data
as its piped through.  I could write a simple fast program that does  
that
on a stream.

These are great!!!

Carter


Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



On Feb 8, 2008, at 2:45 PM, Terry Burton wrote:

> On Feb 8, 2008 7:30 PM, Michael Hornung <hornung at washington.edu>  
> wrote:
>> Hi Terry, I really appreciate you sharing your work with the  
>> group.  I
>> was wondering how the *heck* you were going to get what you wanted  
>> with
>> "syn and not tcp" but then I looked in your scripts and saw that you
>> really meant to say "syn OR not tcp".  :)
>
> Michael,
>
> Well spotted. I must have had my "last thing on a Friday" head on :-P
>
>> These user-contributed scripts are helpful to me, and I'm not even a
>> total Argus newbie.  Keep 'em coming!
>
> Will do.
>
>
> Thanks,
>
> Tez
>



More information about the argus mailing list