rafilteraddr request

[Terry Burton]

On Fri, Aug 7, 2009 at 7:18 PM, Nick Diel<nick at engineerity.com> wrote:
> I am really liking rafilteraddr, though I wouldn't mind being able to
> specify the matching a little bit more.  For instance being able to match
> source or destination or not matching at all.  Perhaps a -m saddr type
> option, though not sure how complex it should be (should one be able to say
> match saddr but do not match daddr).

Hi Nick,

The functionality you are looking for might already be present, but
undocumented. I've attached one of my scripts that uses it below.

Some time ago Carter mentioned the possibility of rolling the
rafilteraddr functionality into the individual argus client programs.
This would mean for example that you could simply invoke ratop to
monitor blacklisted or bogus IP addresses, etc. Perhaps others would
find this useful?


All the best,

Terry

----

#! /bin/sh

# Top list of unregistered talkers.
#
# Select flows sourcing from OUR_NET that are not in the AUTH_IP_FILE
- i.e. our unregistered/dark hosts
# First aggregate by source and destination, "-M norep" so that each
row is a single transaction
# Aggregate by source, calculating the session stats so "trans" is the
number of connections to distinct hosts made by each source
# Sort by "trans" to find the worst scanners
# Output result

AUTH_IP_FILE=/srv/argus/dat/authips.txt
OUR_NET=123.123.0.0/16

ra -w - "$@" |
rafilteraddr -m saddr -vf $AUTH_IP_FILE -r - -w - - src net $OUR_NET |
racluster -M norep -m smac dmac saddr daddr -r - -w - |
racluster -m smac saddr -r - -w - |
rasort -m trans -r - -w - |
ra -L-1 -s trans stime ltime dur saddr -r -