Removing Internal flows from output

Carter Bullard carter at qosient.com
Mon Jun 8 09:31:37 EDT 2009


Hey John,
Glad you're figuring it out ;o)
Did you're filter look anything like this?

    ra - ip and not \(src net 10.0.0.0/8 and dst net 10.0.0.0/8\)

Carter

On Jun 5, 2009, at 11:52 PM, John Kennedy wrote:

> I think I figured it out... :D Yah for me!!!!
>
> On Fri, Jun 5, 2009 at 4:35 PM, John Kennedy  
> <wilson.amajohn at gmail.com> wrote:
> Extrusion Detection:
> How would I filter out internIal to internal traffic, but still be  
> able to see traffic from an internal address going to an internet  
> address?  The egress traffic could potentially be over any port.   
> I.E. I want to be able to ignore internal traffic (e.g.  
> 10.0.0.1:11223 -> 10.2.3.5:80) and focus on any traffic bound o an  
> internet IP address. (e.g. 10.0.0.1:11223 -> 121.10.114.137:80|21| 
> 443|6667|whatever).  Is there a way to get what I am asking for  
> using an argus-clent and without using Perl/Bash/Ruby/Tcl etc.
>
> In using some filters e.g. ra -L0 -n -r argus.log - not host  
> 10.0.0.1 will filter all traffic for 10.0.0.1 even the egress traffic.
>
> Thanks
>
> John
>





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090608/d6751d05/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090608/d6751d05/attachment.bin>


More information about the argus mailing list