srcid on OpenBSD

Mark Bartlett mabartle at gmail.com
Fri Mar 14 15:00:08 EDT 2008 

In the ra Man page it states:

srcid argusid
              True  if the argus identifier field in the Argus record is
srcid, which
              may be an IP address, a name or a decimal/hexidecimal number.


Radium Man states:

 -e   <value> Specify the source identifier for this radium.  Acceptable
values
            are numbers, hostnames or ip address.

Argus Man States:

 -e   <value>  Specify the source identifier for this argus.  Acceptable
values
            are numbers, hostnames or ip address.

Carter, is there any way we can have that field be:

   1.  an IP Address (like you have),
   2. a number (any number, ie 23417, I would like to set the Monitor ID
   to a number that correlates with an IDS Sensor I have, each IDS I have has a
   unique ID for it, would be nice to be able to correlate that data. Argus vs.
   IDS)
   3. hostname (like you have)
   4. or just a name (ie. TestLabProbe)

In my environment an IP Address doesn't mean much to me, I might have
multiple ARGUS sensors out in multiple private networks (so they all might
have a 192.168.x.x address), so what happens if I have 2 sensors in 2
different private networks with the same IP (192.168.50.33) would be hard to
differentiate between the two...

Thanks.

Bartola



On Fri, Mar 14, 2008 at 12:52 PM, Eric Pancer <epancer at pobox.com> wrote:

> On Fri, 2008-03-14 at 12:45:40 -0400, Mark Bartlett proclaimed...
>
> >    Can you give me an example of what you are using for your SRCID?  I
> >    put the following:
>
> Sure..
>
> $ grep MONITOR /etc/argus.conf
> ARGUS_MONITOR_ID=172.12.4.14
>
> $ grep MONITOR /etc/radium.conf
> RADIUM_MONITOR_ID=172.12.4.15
>
> >    ARGUS_MONITOR_ID=33  and I get this in the srcid field = [1]0.0.0.33
> >    If I put this:
> >    '
> >    ARGUS_MONITOR_ID=12345 I get this, [2]0.0.48.57
> >    If I try this:
> >    ARGUS_MONITOR_ID='argus-server-test'
> >    I get an error on start:  ArgusError: argus[5150]: 14 Mar 08
> >    16:34:28.916521 ArgusParseResourceFile(/etc/argus.conf) syntax error
> >    line 76
> >    If I try this (No quotes):
> >    ARGUS_MONITOR_ID=argus-server-test
> >    Now the srcid is the IP address of argus-server-test defined in the
> >    /etc/hosts file...
> >    Just trying to get an example of 'how' people are using this srcid
> >    (ARGUS_MONITOR_ID) field, and how it is 'supposed' to be used...
> >    thanks.
>
> I believe the value needs to be a numeric value. See the man page as it's
> well defined.
>
> - Eric
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080314/ef2e624e/attachment.html>

More information about the argus mailing list