Removing Internal flows from output
John Kennedy
wilson.amajohn at gmail.com
Mon Jun 8 13:49:58 EDT 2009
Very similar..
racluster -M norep -m matrix proto saddr daddr dport -r
/var/log/argus/argus.log -w - - ip and not dst net 192.168.0.0/16 and not
dst net 10.0.0.0/8 and not dst net 172.16.0.0/12 | rasort -m bytes -w - | ra
-LO -n -N 10 -s proto saddr daddr dport pkts bytes state - not ip proto
eigrp
At this point I don't want to know about internal Lan to Lan connections. I
want to know what private address is making requests to the outside world.
e.g. Port 80/443 traffic not using the proxy. DNS Requests to known bad
domains etc. P2P Traffic indications etc.
Basically I am building a report similar to Mr. Van Epp's Perl Script to
provide indications that a host may be compromised.
Regards,
John
On Mon, Jun 8, 2009 at 7:31 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey John,Glad you're figuring it out ;o)
> Did you're filter look anything like this?
>
> ra - ip and not \(src net 10.0.0.0/8 and dst net 10.0.0.0/8\)
>
> Carter
>
> On Jun 5, 2009, at 11:52 PM, John Kennedy wrote:
>
> I think I figured it out... :D Yah for me!!!!
>
> On Fri, Jun 5, 2009 at 4:35 PM, John Kennedy <wilson.amajohn at gmail.com>wrote:
>
>> Extrusion Detection:
>> How would I filter out internIal to internal traffic, but still be able to
>> see traffic from an internal address going to an internet address? The
>> egress traffic could potentially be over any port. I.E. I want to be able
>> to ignore internal traffic (e.g. 10.0.0.1:11223 -> 10.2.3.5:80<http://10.2.3.5/>)
>> and focus on any traffic bound o an internet IP address. (e.g.
>> 10.0.0.1:11223 -> 121.10.114.137:80|21|443|6667|whatever). Is there a
>> way to get what I am asking for using an argus-clent and without using
>> Perl/Bash/Ruby/Tcl etc.
>>
>> In using some filters e.g. ra -L0 -n -r argus.log - not host 10.0.0.1 will
>> filter all traffic for 10.0.0.1 even the egress traffic.
>>
>> Thanks
>>
>> John
>>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090608/9d37debb/attachment.html>
More information about the argus
mailing list