Removing Internal flows from output
John Kennedy
wilson.amajohn at gmail.com
Fri Jun 5 18:35:15 EDT 2009
Extrusion Detection:
How would I filter out internal to internal traffic, but still be able to
see traffic from an internal address going to an internet address? The
egress traffic could potentially be over any port. I.E. I want to be able
to ignore internal traffic (e.g. 10.0.0.1:11223 -> 10.2.3.5:80) and focus on
any traffic bound to an internet IP address. (e.g. 10.0.0.1:11223 ->
121.10.114.137:80|21|443|6667|whatever). Is there a way to get what I am
asking for using an argus-clent and without using Perl/Bash/Ruby/Tcl etc.
In using some filters e.g. ra -L0 -n -r argus.log - not host 10.0.0.1 will
filter all traffic for 10.0.0.1 even the egress traffic.
Thanks
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090605/6940d9bb/attachment.html>
More information about the argus
mailing list