Using ra commands to filter on the relationship between sent and received bytes

Carter Bullard carter at qosient.com
Mon Apr 19 18:38:43 EDT 2010


Hey Kevin,
This was suggested a while ago, and it dropped off my list of things to do.
The basic compiler support is there, fetch, compare, load etc....  but right now
we're doing immediate compares, so let me play with it tonight, to see
how quickly I can add it.

This is #2 behind Pablo's loopback loss metric bug.

Carter


On Apr 19, 2010, at 5:57 PM, The Branches wrote:

> Hi,
> 
> Is there any way to compare one flow record attribute to another flow record attribute with the ra tools?  When doing network forensics, sometimes I want to find sessions in which the sender transmitted more bytes than the receiver did, crudely looking for signs of data ex-filtration from known-compromised inside hosts.   I have tried syntax like this to no avail.
> 
> ra -r argus.file - "host infected-internal-host and src bytes gt dst bytes"
> 
> It appears that the value to the right of the comparison operator has to be a fixed value rather than another attribute name, but just in case there is some other way to do this, I thought I'd ask.
> 
> Kevin Branch
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100419/8fb00529/attachment.bin>


More information about the argus mailing list