argus and filtering
Phillip Deneault
deneault at WPI.EDU
Mon Oct 5 08:57:24 EDT 2009
Just to be clear, I'm attempting to put the filter in my argus.conf file
to ignore certain traffic and the documentation has it as
"ARGUS_FILTER". Nevertheless, I tried it, and neither of the options
RA_FILTER or ARGUS_FILTER work.
I ran strace on argus trying each command separately and it appears more
processing is performed with ARGUS_FILTER.
My goal here is to filter on set of IPs that I do not wish to record,
but don't want to filter at the network interface because I wish other
tools listening on that port to process that traffic instead.
Thanks,
Phil
Carter Bullard wrote:
> Hey Phillip,
> The configuration variable is "RA_FILTER" not "ARGUS_FILTER". I tested
> this
> and it should work, but if this doesn't, send mail!!!!
>
> Carter
>
>
> On Oct 2, 2009, at 4:39 PM, Phillip Deneault wrote:
>
>> I'm attempting to filter using the 3.0.2 code of the argus daemon
>> available here:
>> ftp://www.qosient.com/dev/argus-3.0/argus-3.0.2.tar.gz
>>
>> And I've been trying to set the ARGUS_FILTER using the following two
>> lines of a config file.
>>
>> ARGUS_FILTER="not net 192.168.1.0/24"
>> ARGUS_ACCESS_PORT=561
>>
>> I then use this command line to run the ra tool.
>>
>> argus -X -F /etc/argus.conf.test
>>
>> But I'm still getting data to and from 192.168.1.0/24. Can anyone else
>> confirm this is a bug they have? I'm running Centos 5.3.
>>
>> Thanks,
>> Phil
>>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York 10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
More information about the argus
mailing list