argus client -S option

CS Lee geek00l at gmail.com
Tue Jun 3 11:27:54 EDT 2008


hi carter,

I have question regarding srcid. When I specify srcid using the hostname, it
will resolve to ip address. Is that possible to just specify them as a name
as that's much more easy to manage.

My setup is always having ids and argus running in the same sensor so that I
can have argus supports the alert tracing, and I have multiple sensors, so
my setup looks like this

radium -> sensor1|sensor2|sensor3|sensor4

Say if i have alert from ids on sensor1, and I always prefer to check on the
data from sensor1, so if I just want to check out the data from sensor1, i
can just specify - srcid sensor1 filter.

I can actually solve this using the /etc/hosts trick, however that means i
need other analysts in the team has the config in their /etc/hosts too.
Another advantage of having the name instead of resolving to address is
because name is much more easy to remember.

Not a bug, but more on feature request ;]

Cheers ;]

On Tue, Jun 3, 2008 at 8:37 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey CS Lee,I'm glad it cleared up so simply.
> Yes there were a few things that we crammed into 3.0.0 before I
> froze it, and one of those was to turn off printing Man records by
> default.   I kinda liked them myself, but some others found them
> distracting.
>
> OK, well I've been busy on real work, but I've had a chance to
> get some stuff done on the new argus home web page, so,
> hopefully we'll have that done in a few weeks and then I'll
> announce argus-3.0.0.
>
> If you find anything else, be sure and send email, so we'll
> get it into the archive, and I can address it in argus-3.0.1 when
> it cranks up next month.
>
> Hope all is most excellent,
>
> Carter
>
>
> On Jun 2, 2008, at 2:53 PM, CS Lee wrote:
>
> hi carter,
>
> After debugging is on, I have already figured out my problem using
> racluster. If I need racluster to report the flow record every 60 seconds, I
> need to specify status=60 or else racluster won't report them in stdout.
> That's the reason why I can see ra flows all the time but not racluster.
>
> Thanks!
>
> Sorry for the hassle, your clue is helpeful to me.
>
> On the side note, there's one line in radium man page which need to be
> corrected -
>
> radium -C -S host1 -S host2 -de `hostname` -P 562
>
> No more -C -S, just -C for cisco netflow.
>
> Cheers ;]
>
> On Mon, Jun 2, 2008 at 6:20 PM, CS Lee <geek00l at gmail.com> wrote:
>
>> Hi Carter,
>>
>> Thanks for your clue about the configure output for ratop question, it
>> seems that ncurses.h is not there and I need to do
>>
>> sudo apt-get install libncurses5-dev
>>
>> And ratop works on Ubuntu now. Thanks for the clue.
>>
>> The -M poll works now with RA_PRINT_MAN_RECORDS=yes in .rarc, but this
>> config variable is not mentioned in the rarc man page.
>>
>> I have compiled them with debug now, and will see how it goes.
>>
>> Thanks.
>>
>>
>>
>> On Tue, Jun 3, 2008 at 1:21 AM, Carter Bullard <carter at qosient.com>
>> wrote:
>>
>>> Hey CS Lee,Well lots of things in your email.
>>>
>>> All the ra* programs use the same code to attach and read data, so
>>> it is unlikely that there is a problem specific to a given ra* program
>>> when it relates to attaching to remote argi sources.
>>>
>>> Try compiling with debug support and running with something like "-D5".
>>> That should tell you enough, I suspect, to see what is going on.
>>> The polling is to see if the remote source is there and running, but
>>> we turned printing management records off by default, so you may need
>>> to turn on the "RA_PRINT_MAN_RECORDS" for the polling to appear to
>>> work ?
>>>
>>> As to ratop(), I need a bit more detail than you have provided to
>>> understand
>>> what could be the problem.  There are a lot of potential gotchas with
>>> curses
>>> based programs on many platforms, so I'll need stuff like the output of
>>> the
>>> ./configure run, to see what curses did it find, etc....
>>>
>>> Hope all is most excellent,
>>>
>>> Carter
>>>
>>> On Jun 2, 2008, at 11:47 AM, CS Lee wrote:
>>>
>>> hi all,
>>>
>>> Been a while since I was active here ... hopefully everyone is doing well
>>> ;]
>>>
>>> I'm using argus 3 release now.
>>>
>>> One question, can anyone connect to argus probe in real time using argus
>>> client tools except ra. For example -
>>>
>>> argus -B 127.0.0.1 -P 561 -i eth1
>>>
>>> ra -S 127.0.0.1:561
>>>
>>> The ra has no problem, but when I use racluster or other client tools, it
>>> seems no output is printed in stdout once it is connected to the argus.
>>>
>>> On the other hand, I try the -M poll, it doesn't seem that the client is
>>> attaching to the server and exit immediately.
>>>
>>> And when i use ratop on freebsd 7, no problem when attaching to the argus
>>> probe, but this is not the case on ubuntu gutsy.
>>>
>>> Thanks.
>>>
>>> --
>>> Best Regards,
>>>
>>> CS Lee<geek00L[at]gmail.com>
>>>
>>> http://geek00l.blogspot.com
>>>
>>>
>>>
>>
>>
>> --
>> Best Regards,
>>
>> CS Lee<geek00L[at]gmail.com>
>>
>> http://geek00l.blogspot.com
>>
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
>
>
>


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080603/68d4f594/attachment.html>


More information about the argus mailing list