Getting the data I want

carter at qosient.com carter at qosient.com
Wed Aug 18 20:29:50 EDT 2010 

Hey Paul,
Didn't see that you wanted start time.  This should do it.

   rasort -m bytes saddr daddr -s stime bytes saddr daddr -r file - net (1.1.1.0/24 and 2.2.2.0/24)

   If you want the whole day, then you're "-R daily.dir" is a good way to do it.

Carter 

Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: carter at qosient.com
Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
Date: Thu, 19 Aug 2010 00:15:13 
To: Paul Schmehl<pschmehl_lists at tx.rr.com>; Argus<argus-info at lists.andrew.cmu.edu>
Reply-To: carter at qosient.com
Subject: Re: [ARGUS] Getting the data I want

Hey Paul,
Sorry for the delayed response.
You can use just rasort().  

   rasort -m bytes saddr daddr -s bytes saddr daddr -r file - net (1.1.1.0/24 and 2.2.2.0/24)

If you want traffic between these two networks, use "and".


 If you have any problems, send more email.


Carter 


Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Paul Schmehl <pschmehl_lists at tx.rr.com>
Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
Date: Tue, 17 Aug 2010 10:23:45 
To: <argus-info at lists.andrew.cmu.edu>
Reply-To: Paul Schmehl <pschmehl_lists at tx.rr.com>
Subject: [ARGUS] Getting the data I want

I want to get the following from a day's worth of argus data.  We store "raw" 
argus files in 4 hour increments, gzipped, which is around 10GB per day right 
now.  I want to get the following data from these files:

search the entire day for anything related to connections two specific networks 
and sort it by total bytes, then saddr, then daddr.

Is this possible?

Right now I'm trying this (obfuscated for privacy):

ra -s stime -s bytes -s saddr -s daddr -R /var/data/nsm/argus/2010-08-16/ - net 
1.1.1.0/24 or net 2.2.2.0/24 | rasort -m bytes saddr daddr > 
/tmp/0816_allnets_sorted.txt

Is this going to get me what I want?  I don't want packet data, just header 
information that shows me total bytes per host connecting to any one of a 
number of hosts on two different foreign networks.  (Foreign == not ours.)

I'd like to see the following:

Start time | Total bytes (highest to lowest) | Saddr | Daddr

I'm still trying to get a clue about argus, as you can see.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

More information about the argus mailing list