argus and filtering

Carter Bullard carter at qosient.com
Mon Oct 5 11:30:31 EDT 2009 

Hey Phillip,
Sorry, I was confused, I thought you were referring to client code
and rarc files.    The filter used by argus to filter packets is a  
libpcap() filter,
and should be equivalent to the filter you would normally supply on the
command line.  I believe that the libpcap equivalent filter should be:

    "not net 192.168.1"     ?????

If you  put the filter on the argus command line do you get the same  
behavior?
How does tcpdump() deal with the filter?

Carter


On Oct 5, 2009, at 10:56 AM, Phillip Deneault wrote:

> This is what the -b option is spitting out, which looks like its
> processing the line correctly (to my untrained eye).  But the  
> traffic is
> not actually filtered in the output.
>
> # argus -b -F /etc/argus.conf.test -i eth1
> (000) ldh      [12]
> (001) jeq      #0x800           jt 2	jf 5
> (002) ld       [26]
> (003) and      #0xffffff00
> (004) jeq      #0xc0a80100      jt 30	jf 5
> (005) ldh      [12]
> (006) jeq      #0x800           jt 7	jf 10
> (007) ld       [30]
> (008) and      #0xffffff00
> (009) jeq      #0xc0a80100      jt 30	jf 10
> (010) ldh      [12]
> (011) jeq      #0x806           jt 12	jf 15
> (012) ld       [28]
> (013) and      #0xffffff00
> (014) jeq      #0xc0a80100      jt 30	jf 15
> (015) ldh      [12]
> (016) jeq      #0x806           jt 17	jf 20
> (017) ld       [38]
> (018) and      #0xffffff00
> (019) jeq      #0xc0a80100      jt 30	jf 20
> (020) ldh      [12]
> (021) jeq      #0x8035          jt 22	jf 25
> (022) ld       [28]
> (023) and      #0xffffff00
> (024) jeq      #0xc0a80100      jt 30	jf 25
> (025) ldh      [12]
> (026) jeq      #0x8035          jt 27	jf 31
> (027) ld       [38]
> (028) and      #0xffffff00
> (029) jeq      #0xc0a80100      jt 30	jf 31
> (030) ret      #0
> (031) ret      #96
>
> Thanks,
> Phil
>
> Phillip Deneault wrote:
>> Just to be clear, I'm attempting to put the filter in my argus.conf  
>> file
>> to ignore certain traffic and the documentation has it as
>> "ARGUS_FILTER".  Nevertheless, I tried it, and neither of the options
>> RA_FILTER or ARGUS_FILTER work.
>>
>> I ran strace on argus trying each command separately and it appears  
>> more
>> processing is performed with ARGUS_FILTER.
>>
>> My goal here is to filter on set of IPs that I do not wish to record,
>> but don't want to filter at the network interface because I wish  
>> other
>> tools listening on that port to process that traffic instead.
>>
>> Thanks,
>> Phil
>>
>> Carter Bullard wrote:
>>> Hey Phillip,
>>> The configuration variable is "RA_FILTER" not "ARGUS_FILTER".  I  
>>> tested
>>> this
>>> and it should work, but if this doesn't, send mail!!!!
>>>
>>> Carter
>>>
>>>
>>> On Oct 2, 2009, at 4:39 PM, Phillip Deneault wrote:
>>>
>>>> I'm attempting to filter using the 3.0.2 code of the argus daemon
>>>> available here:
>>>> ftp://www.qosient.com/dev/argus-3.0/argus-3.0.2.tar.gz
>>>>
>>>> And I've been trying to set the ARGUS_FILTER using the following  
>>>> two
>>>> lines of a config file.
>>>>
>>>> ARGUS_FILTER="not net 192.168.1.0/24"
>>>> ARGUS_ACCESS_PORT=561
>>>>
>>>> I then use this command line to run the ra tool.
>>>>
>>>> argus -X -F /etc/argus.conf.test
>>>>
>>>> But I'm still getting data to and from 192.168.1.0/24.  Can  
>>>> anyone else
>>>> confirm this is a bug they have?  I'm running Centos 5.3.
>>>>
>>>> Thanks,
>>>> Phil
>>>>
>>> Carter Bullard
>>> CEO/President
>>> QoSient, LLC
>>> 150 E 57th Street Suite 12D
>>> New York, New York  10022
>>>
>>> +1 212 588-9133 Phone
>>> +1 212 588-9134 Fax
>>>
>>>
>>>
>
> -- 
> --------------------------------------------------------------------
>  WPI Information Technology will never ask for your password and
> you should never give it.  http://www.wpi.edu/+infosec/phishing.html
> --------------------------------------------------------------------
> Phil Deneault                               Network Security Officer
> deneault at wpi.edu                                Information Security
> http://www.wpi.edu/~deneault/        Worcester Polytechnic Institute
> --------------------------------------------------------------------
>

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091005/ff324431/attachment.bin>

More information about the argus mailing list