Getting the data I want

Paul Schmehl pschmehl_lists at tx.rr.com
Thu Aug 19 10:40:45 EDT 2010 

I'm using this now, and it's getting me the information that I was looking for:

# ra -s stime bytes saddr daddr -R /var/data/nsm/argus/2010-08-17/ -w -  "net 
1.1.1.0/25" | racluster -m matrix -w - | rasort -m bytes -s stime bytes saddr 
daddr > /tmp/0817_allnets_sorted.txt

Looks like the ra part is unnecessary?

This is giving me a sorted list of source IPs with bytes, but sometimes a 
source IP is duplicated.  I'm assuming because that's from two different 
sessions?

--On Thursday, August 19, 2010 01:14:31 +0000 carter at qosient.com wrote:

> Hey Paul,
> In order to get totals per host for the entire day, you will need to
> aggregate the data using the tool racluster().
>
> There are two ways to do host totals, one preserves the notion of source and
> destination, the other does not.
>
> To keep the notion of direction:
>
>    racluster -R dir -m saddr daddr -w - - net 1.1.1.0/24 and net 2.2.2.0/24 |
> rasort -m bytes saddr daddr -s stime bytes saddr daddr
>
> To ignore direction, you use the matrix option to racluster():
>
>    racluster -R dir -m matrix -w - - net 1.1.1.0/24 and net 2.2.2.0/24 |
> rasort -m bytes saddr daddr -s stime bytes saddr daddr
>
> Give both a try and if you have problems, send email.
> Carter
>
> Sent from my Verizon Wireless BlackBerry
>
> -----Original Message-----
> From: Paul Schmehl <pschmehl_lists at tx.rr.com>
> Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
> Date: Tue, 17 Aug 2010 10:23:45
> To: <argus-info at lists.andrew.cmu.edu>
> Reply-To: Paul Schmehl <pschmehl_lists at tx.rr.com>
> Subject: [ARGUS] Getting the data I want
>
> I want to get the following from a day's worth of argus data.  We store "raw"
> argus files in 4 hour increments, gzipped, which is around 10GB per day right
> now.  I want to get the following data from these files:
>
> search the entire day for anything related to connections two specific
> networks  and sort it by total bytes, then saddr, then daddr.
>
> Is this possible?
>
> Right now I'm trying this (obfuscated for privacy):
>
> ra -s stime -s bytes -s saddr -s daddr -R /var/data/nsm/argus/2010-08-16/ -
> net  1.1.1.0/24 or net 2.2.2.0/24 | rasort -m bytes saddr daddr >
> /tmp/0816_allnets_sorted.txt
>
> Is this going to get me what I want?  I don't want packet data, just header
> information that shows me total bytes per host connecting to any one of a
> number of hosts on two different foreign networks.  (Foreign == not ours.)
>
> I'd like to see the following:
>
> Start time | Total bytes (highest to lowest) | Saddr | Daddr
>
> I'm still trying to get a clue about argus, as you can see.



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

More information about the argus mailing list