argus and filtering

Phillip Deneault deneault at WPI.EDU
Mon Oct 5 10:56:26 EDT 2009 

This is what the -b option is spitting out, which looks like its
processing the line correctly (to my untrained eye).  But the traffic is
not actually filtered in the output.

# argus -b -F /etc/argus.conf.test -i eth1
(000) ldh      [12]
(001) jeq      #0x800           jt 2	jf 5
(002) ld       [26]
(003) and      #0xffffff00
(004) jeq      #0xc0a80100      jt 30	jf 5
(005) ldh      [12]
(006) jeq      #0x800           jt 7	jf 10
(007) ld       [30]
(008) and      #0xffffff00
(009) jeq      #0xc0a80100      jt 30	jf 10
(010) ldh      [12]
(011) jeq      #0x806           jt 12	jf 15
(012) ld       [28]
(013) and      #0xffffff00
(014) jeq      #0xc0a80100      jt 30	jf 15
(015) ldh      [12]
(016) jeq      #0x806           jt 17	jf 20
(017) ld       [38]
(018) and      #0xffffff00
(019) jeq      #0xc0a80100      jt 30	jf 20
(020) ldh      [12]
(021) jeq      #0x8035          jt 22	jf 25
(022) ld       [28]
(023) and      #0xffffff00
(024) jeq      #0xc0a80100      jt 30	jf 25
(025) ldh      [12]
(026) jeq      #0x8035          jt 27	jf 31
(027) ld       [38]
(028) and      #0xffffff00
(029) jeq      #0xc0a80100      jt 30	jf 31
(030) ret      #0
(031) ret      #96

Thanks,
Phil

Phillip Deneault wrote:
> Just to be clear, I'm attempting to put the filter in my argus.conf file
>  to ignore certain traffic and the documentation has it as
> "ARGUS_FILTER".  Nevertheless, I tried it, and neither of the options
> RA_FILTER or ARGUS_FILTER work.
> 
> I ran strace on argus trying each command separately and it appears more
> processing is performed with ARGUS_FILTER.
> 
> My goal here is to filter on set of IPs that I do not wish to record,
> but don't want to filter at the network interface because I wish other
> tools listening on that port to process that traffic instead.
> 
> Thanks,
> Phil
> 
> Carter Bullard wrote:
>> Hey Phillip,
>> The configuration variable is "RA_FILTER" not "ARGUS_FILTER".  I tested
>> this
>> and it should work, but if this doesn't, send mail!!!!
>>
>> Carter
>>
>>
>> On Oct 2, 2009, at 4:39 PM, Phillip Deneault wrote:
>>
>>> I'm attempting to filter using the 3.0.2 code of the argus daemon
>>> available here:
>>> ftp://www.qosient.com/dev/argus-3.0/argus-3.0.2.tar.gz
>>>
>>> And I've been trying to set the ARGUS_FILTER using the following two
>>> lines of a config file.
>>>
>>> ARGUS_FILTER="not net 192.168.1.0/24"
>>> ARGUS_ACCESS_PORT=561
>>>
>>> I then use this command line to run the ra tool.
>>>
>>> argus -X -F /etc/argus.conf.test
>>>
>>> But I'm still getting data to and from 192.168.1.0/24.  Can anyone else
>>> confirm this is a bug they have?  I'm running Centos 5.3.
>>>
>>> Thanks,
>>> Phil
>>>
>> Carter Bullard
>> CEO/President
>> QoSient, LLC
>> 150 E 57th Street Suite 12D
>> New York, New York  10022
>>
>> +1 212 588-9133 Phone
>> +1 212 588-9134 Fax
>>
>>
>>

-- 
--------------------------------------------------------------------
  WPI Information Technology will never ask for your password and
you should never give it.  http://www.wpi.edu/+infosec/phishing.html
--------------------------------------------------------------------
Phil Deneault                               Network Security Officer
deneault at wpi.edu                                Information Security
http://www.wpi.edu/~deneault/        Worcester Polytechnic Institute
--------------------------------------------------------------------

More information about the argus mailing list