argus and filtering
Carter Bullard
carter at qosient.com
Mon Oct 5 11:30:31 EDT 2009
Hey Phillip,
Sorry, I was confused, I thought you were referring to client code
and rarc files. The filter used by argus to filter packets is a
libpcap() filter,
and should be equivalent to the filter you would normally supply on the
command line. I believe that the libpcap equivalent filter should be:
"not net 192.168.1" ?????
If you put the filter on the argus command line do you get the same
behavior?
How does tcpdump() deal with the filter?
Carter
On Oct 5, 2009, at 10:56 AM, Phillip Deneault wrote:
> This is what the -b option is spitting out, which looks like its
> processing the line correctly (to my untrained eye). But the
> traffic is
> not actually filtered in the output.
>
> # argus -b -F /etc/argus.conf.test -i eth1
> (000) ldh [12]
> (001) jeq #0x800 jt 2 jf 5
> (002) ld [26]
> (003) and #0xffffff00
> (004) jeq #0xc0a80100 jt 30 jf 5
> (005) ldh [12]
> (006) jeq #0x800 jt 7 jf 10
> (007) ld [30]
> (008) and #0xffffff00
> (009) jeq #0xc0a80100 jt 30 jf 10
> (010) ldh [12]
> (011) jeq #0x806 jt 12 jf 15
> (012) ld [28]
> (013) and #0xffffff00
> (014) jeq #0xc0a80100 jt 30 jf 15
> (015) ldh [12]
> (016) jeq #0x806 jt 17 jf 20
> (017) ld [38]
> (018) and #0xffffff00
> (019) jeq #0xc0a80100 jt 30 jf 20
> (020) ldh [12]
> (021) jeq #0x8035 jt 22 jf 25
> (022) ld [28]
> (023) and #0xffffff00
> (024) jeq #0xc0a80100 jt 30 jf 25
> (025) ldh [12]
> (026) jeq #0x8035 jt 27 jf 31
> (027) ld [38]
> (028) and #0xffffff00
> (029) jeq #0xc0a80100 jt 30 jf 31
> (030) ret #0
> (031) ret #96
>
> Thanks,
> Phil
>
> Phillip Deneault wrote:
>> Just to be clear, I'm attempting to put the filter in my argus.conf
>> file
>> to ignore certain traffic and the documentation has it as
>> "ARGUS_FILTER". Nevertheless, I tried it, and neither of the options
>> RA_FILTER or ARGUS_FILTER work.
>>
>> I ran strace on argus trying each command separately and it appears
>> more
>> processing is performed with ARGUS_FILTER.
>>
>> My goal here is to filter on set of IPs that I do not wish to record,
>> but don't want to filter at the network interface because I wish
>> other
>> tools listening on that port to process that traffic instead.
>>
>> Thanks,
>> Phil
>>
>> Carter Bullard wrote:
>>> Hey Phillip,
>>> The configuration variable is "RA_FILTER" not "ARGUS_FILTER". I
>>> tested
>>> this
>>> and it should work, but if this doesn't, send mail!!!!
>>>
>>> Carter
>>>
>>>
>>> On Oct 2, 2009, at 4:39 PM, Phillip Deneault wrote:
>>>
>>>> I'm attempting to filter using the 3.0.2 code of the argus daemon
>>>> available here:
>>>> ftp://www.qosient.com/dev/argus-3.0/argus-3.0.2.tar.gz
>>>>
>>>> And I've been trying to set the ARGUS_FILTER using the following
>>>> two
>>>> lines of a config file.
>>>>
>>>> ARGUS_FILTER="not net 192.168.1.0/24"
>>>> ARGUS_ACCESS_PORT=561
>>>>
>>>> I then use this command line to run the ra tool.
>>>>
>>>> argus -X -F /etc/argus.conf.test
>>>>
>>>> But I'm still getting data to and from 192.168.1.0/24. Can
>>>> anyone else
>>>> confirm this is a bug they have? I'm running Centos 5.3.
>>>>
>>>> Thanks,
>>>> Phil
>>>>
>>> Carter Bullard
>>> CEO/President
>>> QoSient, LLC
>>> 150 E 57th Street Suite 12D
>>> New York, New York 10022
>>>
>>> +1 212 588-9133 Phone
>>> +1 212 588-9134 Fax
>>>
>>>
>>>
>
> --
> --------------------------------------------------------------------
> WPI Information Technology will never ask for your password and
> you should never give it. http://www.wpi.edu/+infosec/phishing.html
> --------------------------------------------------------------------
> Phil Deneault Network Security Officer
> deneault at wpi.edu Information Security
> http://www.wpi.edu/~deneault/ Worcester Polytechnic Institute
> --------------------------------------------------------------------
>
Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091005/ff324431/attachment.bin>
More information about the argus
mailing list