racluster() memory control Re: New To Argus

Peter Van Epp vanepp at sfu.ca
Mon Mar 3 12:51:02 EST 2008 

On Sat, Mar 01, 2008 at 11:41:09AM -0700, Nick Diel wrote:
> Carter,
> 
> I found the man page that describes status (for people searching on the 
> list man 5 racluster).
> 
> Thanks,
> Nick
> 
> Nick Diel wrote:
> >Carter,
> >
> >Thanks for the information.  I have been playing around with the 
> >timeout period with great success, though what is the status entry 
> >for?  If this is documented somewhere, I apologize, but I couldn't 
> >find it.
> >
> >I think the radark() method is quite clever, but in my situation I am 
> >not able to do that (yet).  I am capturing data at a transit provider 
> >and immediately anonymizing the data.  I don't have access to know 
> >which subnets are darks, but I will investigate if I can find one.  I 
> >do think this could be a powerful research tool for me.

	Although I haven't had time to play with radark yet, I don't think the
anonymization will matter to it. As I understand it, it selects dark IPs by
doing a prescan for IPs that don't respond to anything in the time period and
then reprocesses the flows looking at traffic to the dark IPs on the assumption
they are attacks. I don't think anonymization will affect that and you should
be able to feed information back to the TX about what kind of attacks they 
are seeing and if they look to be having success (i.e. an attacking IP making
a successful connection to a real host and doing a fair amount of traffic).
	It may motivate the TX to install argus for themselves with non 
anonmized data to figure out who the attacked hosts are if the cost looks 
high enough, or it may reassure them that their security measures are keeping
the noise at an acceptable level (thats essentially what my argus traffic 
scripts do for us on our campus). Either of those things could be of value
to them and an encouragement to let you keep capturing traffic from them.		We have a data mining research project here that produced such 
interesting results from the anonymized data that the agency owning the data
created a test system to run against the real data to extract and action 
against the real data and is now talking about installing a parallel system 
using non anonymized data beside our anonymized one (that only their people 
have access to) to be able to always do that now that the value has been
demonstrated (which was part of the reason for the original project). 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list