Removing Internal flows from output
Carter Bullard
carter at qosient.com
Mon Jun 8 09:31:37 EDT 2009
Hey John,
Glad you're figuring it out ;o)
Did you're filter look anything like this?
ra - ip and not \(src net 10.0.0.0/8 and dst net 10.0.0.0/8\)
Carter
On Jun 5, 2009, at 11:52 PM, John Kennedy wrote:
> I think I figured it out... :D Yah for me!!!!
>
> On Fri, Jun 5, 2009 at 4:35 PM, John Kennedy
> <wilson.amajohn at gmail.com> wrote:
> Extrusion Detection:
> How would I filter out internIal to internal traffic, but still be
> able to see traffic from an internal address going to an internet
> address? The egress traffic could potentially be over any port.
> I.E. I want to be able to ignore internal traffic (e.g.
> 10.0.0.1:11223 -> 10.2.3.5:80) and focus on any traffic bound o an
> internet IP address. (e.g. 10.0.0.1:11223 -> 121.10.114.137:80|21|
> 443|6667|whatever). Is there a way to get what I am asking for
> using an argus-clent and without using Perl/Bash/Ruby/Tcl etc.
>
> In using some filters e.g. ra -L0 -n -r argus.log - not host
> 10.0.0.1 will filter all traffic for 10.0.0.1 even the egress traffic.
>
> Thanks
>
> John
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090608/d6751d05/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090608/d6751d05/attachment.bin>
More information about the argus
mailing list