Question about URL's and DNS Queries
Carter Bullard
carter at qosient.com
Thu Oct 22 13:45:56 EDT 2009
Hey Mark,
Try using radump(). It will decode the user data buffer according to
a set of rules, and printout tcpdump() like output for the contents.
You will need to tell it how much of the user data buffer you want it
to decode, and that is specified using the "-s suser:128" option to
specify the size.
So:
radump -r argus.out -s +suser:128 +duser:128 - port 53
Or something like that.
Carter
On Oct 22, 2009, at 1:36 PM, Mark Bartlett wrote:
> Hello all,
>
> I'm trying to 'see' URLs and DNS queries using ARGUS... I am using
> the latest version of ARGUS and ARGUS-CLIENTS - Argus Version 3.0.2...
>
> Here is what I get with the DNS Queries:
>
> [root at argus_server argustest]# ra -F /opt/ARGUS/CONF/excel.rarc -r
> argus.out - port 53
> 12345,192.168.50.138,192.168.100.33,17,32768,53,s[16]
> =.............rea,d[16]=.............rea
> 12345,192.168.50.138,192.168.100.33,17,32768,53,s[16]
> =.............rea,d[16]=.............rea
>
> and if I do a capture with TCPDUMP I get this:
>
> [root at argus_server ~]# tcpdump -nni eth0 -s 258 port 53
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 258 bytes
> 13:15:23.482375 IP 192.168.50.138.32768 > 192.168.100.33.53: 57520+
> A? reaper.gsirt.com. (34)
> 13:15:23.483296 IP 192.168.100.33.53 > 192.168.50.138.32768: 57520*
> 1/1/0 A 192.168.100.33 (64)
>
> So you can see it doesn't look like the suser data is 'right'???
>
> Here are my excel.rarc settings;
>
> RA_FIELD_DELIMITER=','
> RA_PRINT_NAMES=none
> RA_FIELD_SPECIFIER="srcid saddr daddr proto sport dport suser duser"
>
>
> My argus.conf file has the following set:
>
> ARGUS_CAPTURE_DATA_LEN=256
>
> So question one: Am I using the 'right' command???
>
> Question two: Is there another 'setting' I need to configure to have
> more than 16 spaces in the suser/duser values??
>
> And Carter, I was thinking about going to FloCon10... Any idea what
> the registration fee is???
>
> Thanks.
>
> mark
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091022/ee8f823d/attachment.bin>
More information about the argus
mailing list