Question about URL's and DNS Queries
Mark Bartlett
mabartle at gmail.com
Thu Oct 22 13:36:55 EDT 2009
Hello all,
I'm trying to 'see' URLs and DNS queries using ARGUS... I am using
the latest version of ARGUS and ARGUS-CLIENTS - Argus Version 3.0.2...
Here is what I get with the DNS Queries:
[root at argus_server argustest]# ra -F /opt/ARGUS/CONF/excel.rarc -r
argus.out - port 53
12345,192.168.50.138,192.168.100.33,17,32768,53,s[16]=.............rea,d[16]=.............rea
12345,192.168.50.138,192.168.100.33,17,32768,53,s[16]=.............rea,d[16]=.............rea
and if I do a capture with TCPDUMP I get this:
[root at argus_server ~]# tcpdump -nni eth0 -s 258 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 258 bytes
13:15:23.482375 IP 192.168.50.138.32768 > 192.168.100.33.53: 57520+
A? reaper.gsirt.com. (34)
13:15:23.483296 IP 192.168.100.33.53 > 192.168.50.138.32768: 57520*
1/1/0 A 192.168.100.33 (64)
So you can see it doesn't look like the suser data is 'right'???
Here are my excel.rarc settings;
RA_FIELD_DELIMITER=','
RA_PRINT_NAMES=none
RA_FIELD_SPECIFIER="srcid saddr daddr proto sport dport suser duser"
My argus.conf file has the following set:
ARGUS_CAPTURE_DATA_LEN=256
So question one: Am I using the 'right' command???
Question two: Is there another 'setting' I need to configure to have
more than 16 spaces in the suser/duser values??
And Carter, I was thinking about going to FloCon10... Any idea what
the registration fee is???
Thanks.
mark
More information about the argus
mailing list