Some problems (bugs?) with argus
Martijn van Oosterhout
kleptog at gmail.com
Fri Aug 7 11:47:28 EDT 2009
Thanks for the info, it was very helpful. The fragments turn out to be
easily filterable by using something like syn or con. It's nice to
know they're not important.
I do have one question: you refer to ArgusReverseRecord() and it does
what it says it does. However, what I'm interested in is: can I tell
from the flow record in which direction SYN or SYNACK went. If I could
determine that then it would be possible to take that into account.
It's easy to reproduce, take the PCAP of any complete TCP connection
and strip out the SYN packet (with editcap for example). If you're
saying it's not possible at all then I'll have to reconsider my
approach (I'm trying to detect services).
Thanks for any information you can provide.
On Fri, Aug 7, 2009 at 4:05 PM, Carter Bullard<carter at qosient.com> wrote:
> Argus does not dictate the direction of a flow, its rules are very simple,
> so any problems with flow direction reporting are issues in the logic for
> the
> client programs. So I wouldn't modify argus to deal with what would
> appear to be a direction issue. Check out the ArgusReverseRecord()
> use in the client library for help there!!!!
--
Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/
More information about the argus
mailing list