racluster() memory control Re: New To Argus

Nick Diel ndiel at engr.colostate.edu
Mon Mar 3 13:06:45 EST 2008 

Peter Van Epp wrote:
> On Sat, Mar 01, 2008 at 11:41:09AM -0700, Nick Diel wrote:
>   
>> Carter,
>>
>> I found the man page that describes status (for people searching on the 
>> list man 5 racluster).
>>
>> Thanks,
>> Nick
>>
>> Nick Diel wrote:
>>     
>>> Carter,
>>>
>>> Thanks for the information.  I have been playing around with the 
>>> timeout period with great success, though what is the status entry 
>>> for?  If this is documented somewhere, I apologize, but I couldn't 
>>> find it.
>>>
>>> I think the radark() method is quite clever, but in my situation I am 
>>> not able to do that (yet).  I am capturing data at a transit provider 
>>> and immediately anonymizing the data.  I don't have access to know 
>>> which subnets are darks, but I will investigate if I can find one.  I 
>>> do think this could be a powerful research tool for me.
>>>       
>
> 	Although I haven't had time to play with radark yet, I don't think the
> anonymization will matter to it. As I understand it, it selects dark IPs by
> doing a prescan for IPs that don't respond to anything in the time period and
> then reprocesses the flows looking at traffic to the dark IPs on the assumption
> they are attacks. I don't think anonymization will affect that and you should
> be able to feed information back to the TX about what kind of attacks they 
> are seeing and if they look to be having success (i.e. an attacking IP making
> a successful connection to a real host and doing a fair amount of traffic).
> 	It may motivate the TX to install argus for themselves with non 
> anonmized data to figure out who the attacked hosts are if the cost looks 
> high enough, or it may reassure them that their security measures are keeping
> the noise at an acceptable level (thats essentially what my argus traffic 
> scripts do for us on our campus). Either of those things could be of value
> to them and an encouragement to let you keep capturing traffic from them.		We have a data mining research project here that produced such 
> interesting results from the anonymized data that the agency owning the data
> created a test system to run against the real data to extract and action 
> against the real data and is now talking about installing a parallel system 
> using non anonymized data beside our anonymized one (that only their people 
> have access to) to be able to always do that now that the value has been
> demonstrated (which was part of the reason for the original project). 
>
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
>
>   
Peter,

Very interesting.  Currently we are only monitoring partial traffic and 
a few organizations using the TX have other providers so there is 
asymmetric routing.  Then for some subnets we only have unidirectional 
traffic, so that might affect the results.  Though I think I will still 
play around with this tool.  If I am still able to find some interesting 
attack traffic, the TX might appreciate that information.  Giving the TX 
some benefits for us being there would be a good thing. :)

Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080303/922e6606/attachment.html>

More information about the argus mailing list