srcid on OpenBSD

Carter Bullard carter at qosient.com
Fri Mar 14 18:04:43 EDT 2008 

Right this second, we assume that the srcid is an IP address.  I'll change that this weekend.

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: "Mark Bartlett" <mabartle at gmail.com>

Date: Fri, 14 Mar 2008 15:00:08 
To:"Mark Bartlett" <mabartle at gmail.com>,       Argus <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] srcid on OpenBSD


In the ra Man page it states:

srcid argusid
              True  if the argus identifier field in the Argus record is srcid, which
              may be an IP address, a name or a decimal/hexidecimal number.
 

Radium Man states:

 -e   <value> Specify the source identifier for this radium.  Acceptable values
            are numbers, hostnames or ip address.

Argus Man States:

 -e   <value>  Specify the source identifier for this argus.  Acceptable values
             are numbers, hostnames or ip address.

Carter, is there any way we can have that field be:


*  an IP Address (like you have), 

* a number (any number, ie 23417, I would like to set the Monitor ID to a number that correlates with an IDS Sensor I have, each IDS I have has a unique ID for it, would be nice to be able to correlate that data. Argus vs. IDS) 
* hostname (like you have)
* or just a name (ie. TestLabProbe)
In my environment an IP Address doesn't mean much to me, I might have multiple ARGUS sensors out in multiple private networks (so they all might have a 192.168.x.x address), so what happens if I have 2 sensors in 2 different private networks with the same IP (192.168.50.33 <http://192.168.50.33> ) would be hard to differentiate between the two...
 
Thanks.

Bartola




On Fri, Mar 14, 2008 at 12:52 PM, Eric Pancer <epancer at pobox.com <mailto:epancer at pobox.com> > wrote:
 On Fri, 2008-03-14 at 12:45:40 -0400, Mark Bartlett proclaimed...
 

 >    Can you give me an example of what you are using for your SRCID?  I
 >    put the following:
 
 Sure..
 
 $ grep MONITOR /etc/argus.conf
 ARGUS_MONITOR_ID=172.12.4.14 <http://172.12.4.14> 
 
 $ grep MONITOR /etc/radium.conf
 RADIUM_MONITOR_ID=172.12.4.15 <http://172.12.4.15> 
 
 >    ARGUS_MONITOR_ID=33  and I get this in the srcid field = [1]0.0.0.33
 >    If I put this:
 >    '
 >    ARGUS_MONITOR_ID=12345 I get this, [2]0.0.48.57
 
>    If I try this:
 >    ARGUS_MONITOR_ID='argus-server-test'
 >    I get an error on start:  ArgusError: argus[5150]: 14 Mar 08
 >    16:34:28.916521 ArgusParseResourceFile(/etc/argus.conf) syntax error
 >    line 76
 >    If I try this (No quotes):
 >    ARGUS_MONITOR_ID=argus-server-test
 >    Now the srcid is the IP address of argus-server-test defined in the
 >    /etc/hosts file...
 >    Just trying to get an example of 'how' people are using this srcid
 >    (ARGUS_MONITOR_ID) field, and how it is 'supposed' to be used...
 >    thanks.
 
 I believe the value needs to be a numeric value. See the man page as it's
 well defined.
 
 - Eric

More information about the argus mailing list