argus and filtering
Phillip Deneault
deneault at WPI.EDU
Mon Oct 5 11:47:52 EDT 2009
Ah ha! Checking my rule against TCPdump was one obvious thing I hadn't
tried. When I did I discovered a vlan issue. So I have to include the
vlan tag on that interface, so my rule works correctly if I use the
following:
vlan <num> and not net 192.168.1.0
Sorry for the confusion. I'm not using a physical configuration I use
on many of my other argus boxen.
Thanks,
Phil
Carter Bullard wrote:
> Hey Phillip,
> Sorry, I was confused, I thought you were referring to client code
> and rarc files. The filter used by argus to filter packets is a
> libpcap() filter,
> and should be equivalent to the filter you would normally supply on the
> command line. I believe that the libpcap equivalent filter should be:
>
> "not net 192.168.1" ?????
>
> If you put the filter on the argus command line do you get the same
> behavior?
> How does tcpdump() deal with the filter?
>
> Carter
>
>
> On Oct 5, 2009, at 10:56 AM, Phillip Deneault wrote:
>
>> This is what the -b option is spitting out, which looks like its
>> processing the line correctly (to my untrained eye). But the traffic is
>> not actually filtered in the output.
>>
>> # argus -b -F /etc/argus.conf.test -i eth1
>> (000) ldh [12]
>> (001) jeq #0x800 jt 2 jf 5
>> (002) ld [26]
>> (003) and #0xffffff00
>> (004) jeq #0xc0a80100 jt 30 jf 5
>> (005) ldh [12]
>> (006) jeq #0x800 jt 7 jf 10
>> (007) ld [30]
>> (008) and #0xffffff00
>> (009) jeq #0xc0a80100 jt 30 jf 10
>> (010) ldh [12]
>> (011) jeq #0x806 jt 12 jf 15
>> (012) ld [28]
>> (013) and #0xffffff00
>> (014) jeq #0xc0a80100 jt 30 jf 15
>> (015) ldh [12]
>> (016) jeq #0x806 jt 17 jf 20
>> (017) ld [38]
>> (018) and #0xffffff00
>> (019) jeq #0xc0a80100 jt 30 jf 20
>> (020) ldh [12]
>> (021) jeq #0x8035 jt 22 jf 25
>> (022) ld [28]
>> (023) and #0xffffff00
>> (024) jeq #0xc0a80100 jt 30 jf 25
>> (025) ldh [12]
>> (026) jeq #0x8035 jt 27 jf 31
>> (027) ld [38]
>> (028) and #0xffffff00
>> (029) jeq #0xc0a80100 jt 30 jf 31
>> (030) ret #0
>> (031) ret #96
>>
>> Thanks,
>> Phil
>>
>> Phillip Deneault wrote:
>>> Just to be clear, I'm attempting to put the filter in my argus.conf file
>>> to ignore certain traffic and the documentation has it as
>>> "ARGUS_FILTER". Nevertheless, I tried it, and neither of the options
>>> RA_FILTER or ARGUS_FILTER work.
>>>
>>> I ran strace on argus trying each command separately and it appears more
>>> processing is performed with ARGUS_FILTER.
>>>
>>> My goal here is to filter on set of IPs that I do not wish to record,
>>> but don't want to filter at the network interface because I wish other
>>> tools listening on that port to process that traffic instead.
>>>
>>> Thanks,
>>> Phil
>>>
>>> Carter Bullard wrote:
>>>> Hey Phillip,
>>>> The configuration variable is "RA_FILTER" not "ARGUS_FILTER". I tested
>>>> this
>>>> and it should work, but if this doesn't, send mail!!!!
>>>>
>>>> Carter
>>>>
>>>>
>>>> On Oct 2, 2009, at 4:39 PM, Phillip Deneault wrote:
>>>>
>>>>> I'm attempting to filter using the 3.0.2 code of the argus daemon
>>>>> available here:
>>>>> ftp://www.qosient.com/dev/argus-3.0/argus-3.0.2.tar.gz
>>>>>
>>>>> And I've been trying to set the ARGUS_FILTER using the following two
>>>>> lines of a config file.
>>>>>
>>>>> ARGUS_FILTER="not net 192.168.1.0/24"
>>>>> ARGUS_ACCESS_PORT=561
>>>>>
>>>>> I then use this command line to run the ra tool.
>>>>>
>>>>> argus -X -F /etc/argus.conf.test
>>>>>
>>>>> But I'm still getting data to and from 192.168.1.0/24. Can anyone
>>>>> else
>>>>> confirm this is a bug they have? I'm running Centos 5.3.
>>>>>
>>>>> Thanks,
>>>>> Phil
>>>>>
>>>> Carter Bullard
>>>> CEO/President
>>>> QoSient, LLC
>>>> 150 E 57th Street Suite 12D
>>>> New York, New York 10022
>>>>
>>>> +1 212 588-9133 Phone
>>>> +1 212 588-9134 Fax
>>>>
>>>>
>>>>
>>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York 10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
More information about the argus
mailing list