Removing Internal flows from output
John Kennedy
wilson.amajohn at gmail.com
Fri Jun 5 23:52:19 EDT 2009
I think I figured it out... :D Yah for me!!!!
On Fri, Jun 5, 2009 at 4:35 PM, John Kennedy <wilson.amajohn at gmail.com>wrote:
> Extrusion Detection:
> How would I filter out internIal to internal traffic, but still be able to
> see traffic from an internal address going to an internet address? The
> egress traffic could potentially be over any port. I.E. I want to be able
> to ignore internal traffic (e.g. 10.0.0.1:11223 -> 10.2.3.5:80<http://10.2.3.5/>)
> and focus on any traffic bound o an internet IP address. (e.g.
> 10.0.0.1:11223 -> 121.10.114.137:80|21|443|6667|whatever). Is there a way
> to get what I am asking for using an argus-clent and without using
> Perl/Bash/Ruby/Tcl etc.
>
> In using some filters e.g. ra -L0 -n -r argus.log - not host 10.0.0.1 will
> filter all traffic for 10.0.0.1 even the egress traffic.
>
> Thanks
>
> John
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090605/8dc9d897/attachment.html>
More information about the argus
mailing list