Removing Internal flows from output

Carter Bullard carter at qosient.com
Mon Jun 8 15:26:42 EDT 2009 

Hey John,
Also, if you're argus is well positioned and you know what L2  
addresses are
involved in the external traffic, you can use a simple "ether host  
xx:xx:xx:xx:xx:xx"
filter on the input.

The reason the L2 filters are more preferable, is that you can find  
errant traffic with
a L2 filter, but L3 filters may exclude some traffic that you would  
want to be interested
in, like traffic with spoofed source addresses and the like.

BUT, for most purposes, the L3 filters are the most logical.

Carter

On Jun 8, 2009, at 1:49 PM, John Kennedy wrote:

> Very similar..
>
> racluster -M norep -m matrix proto saddr daddr dport -r /var/log/ 
> argus/argus.log -w - - ip and not dst net 192.168.0.0/16 and not dst  
> net 10.0.0.0/8 and not dst net 172.16.0.0/12 | rasort -m bytes -w -  
> | ra -LO -n -N 10 -s proto saddr daddr dport pkts bytes state - not  
> ip proto eigrp
>
> At this point I don't want to know about internal Lan to Lan  
> connections. I want to know what private address is making requests  
> to the outside world. e.g. Port 80/443 traffic not using the proxy.   
> DNS Requests to known bad domains etc.  P2P Traffic indications etc.
>
> Basically I am building a report similar to Mr. Van Epp's Perl  
> Script to provide indications that a host may be compromised.
>
> Regards,
>
> John
>
>
> On Mon, Jun 8, 2009 at 7:31 AM, Carter Bullard <carter at qosient.com>  
> wrote:
> Hey John,
> Glad you're figuring it out ;o)
> Did you're filter look anything like this?
>
>    ra - ip and not \(src net 10.0.0.0/8 and dst net 10.0.0.0/8\)
>
> Carter
>
> On Jun 5, 2009, at 11:52 PM, John Kennedy wrote:
>
>> I think I figured it out... :D Yah for me!!!!
>>
>> On Fri, Jun 5, 2009 at 4:35 PM, John Kennedy <wilson.amajohn at gmail.com 
>> > wrote:
>> Extrusion Detection:
>> How would I filter out internIal to internal traffic, but still be  
>> able to see traffic from an internal address going to an internet  
>> address?  The egress traffic could potentially be over any port.   
>> I.E. I want to be able to ignore internal traffic (e.g.  
>> 10.0.0.1:11223 -> 10.2.3.5:80) and focus on any traffic bound o an  
>> internet IP address. (e.g. 10.0.0.1:11223 -> 121.10.114.137:80|21| 
>> 443|6667|whatever).  Is there a way to get what I am asking for  
>> using an argus-clent and without using Perl/Bash/Ruby/Tcl etc.
>>
>> In using some filters e.g. ra -L0 -n -r argus.log - not host  
>> 10.0.0.1 will filter all traffic for 10.0.0.1 even the egress  
>> traffic.
>>
>> Thanks
>>
>> John
>>
>
>
>
>
>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090608/3a0dd701/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090608/3a0dd701/attachment.bin>

More information about the argus mailing list