Getting the data I want
carter at qosient.com
carter at qosient.com
Thu Aug 19 12:45:43 EDT 2010
Hey Paul,
Yes, don't need ra(), put the filter on racluster().
You are aggregating for unique matrix pairs, so both source and destination are considered. When you have duplicate source addrs, its probably because that particular source is talking to multiple destination addresses. Check the daddr.
If you have two entries with the same address pairs, then you may have non-IP traffic, like arp, being counted. Include "ip and" at the front of your filter.
Carter
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: Paul Schmehl <pschmehl_lists at tx.rr.com>
Date: Thu, 19 Aug 2010 09:40:45
To: <carter at qosient.com>; Argus<argus-info at lists.andrew.cmu.edu>
Reply-To: Paul Schmehl <pschmehl_lists at tx.rr.com>
Subject: Re: [ARGUS] Getting the data I want
I'm using this now, and it's getting me the information that I was looking for:
# ra -s stime bytes saddr daddr -R /var/data/nsm/argus/2010-08-17/ -w - "net
1.1.1.0/25" | racluster -m matrix -w - | rasort -m bytes -s stime bytes saddr
daddr > /tmp/0817_allnets_sorted.txt
Looks like the ra part is unnecessary?
This is giving me a sorted list of source IPs with bytes, but sometimes a
source IP is duplicated. I'm assuming because that's from two different
sessions?
--On Thursday, August 19, 2010 01:14:31 +0000 carter at qosient.com wrote:
> Hey Paul,
> In order to get totals per host for the entire day, you will need to
> aggregate the data using the tool racluster().
>
> There are two ways to do host totals, one preserves the notion of source and
> destination, the other does not.
>
> To keep the notion of direction:
>
> racluster -R dir -m saddr daddr -w - - net 1.1.1.0/24 and net 2.2.2.0/24 |
> rasort -m bytes saddr daddr -s stime bytes saddr daddr
>
> To ignore direction, you use the matrix option to racluster():
>
> racluster -R dir -m matrix -w - - net 1.1.1.0/24 and net 2.2.2.0/24 |
> rasort -m bytes saddr daddr -s stime bytes saddr daddr
>
> Give both a try and if you have problems, send email.
> Carter
>
> Sent from my Verizon Wireless BlackBerry
>
> -----Original Message-----
> From: Paul Schmehl <pschmehl_lists at tx.rr.com>
> Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
> Date: Tue, 17 Aug 2010 10:23:45
> To: <argus-info at lists.andrew.cmu.edu>
> Reply-To: Paul Schmehl <pschmehl_lists at tx.rr.com>
> Subject: [ARGUS] Getting the data I want
>
> I want to get the following from a day's worth of argus data. We store "raw"
> argus files in 4 hour increments, gzipped, which is around 10GB per day right
> now. I want to get the following data from these files:
>
> search the entire day for anything related to connections two specific
> networks and sort it by total bytes, then saddr, then daddr.
>
> Is this possible?
>
> Right now I'm trying this (obfuscated for privacy):
>
> ra -s stime -s bytes -s saddr -s daddr -R /var/data/nsm/argus/2010-08-16/ -
> net 1.1.1.0/24 or net 2.2.2.0/24 | rasort -m bytes saddr daddr >
> /tmp/0816_allnets_sorted.txt
>
> Is this going to get me what I want? I don't want packet data, just header
> information that shows me total bytes per host connecting to any one of a
> number of hosts on two different foreign networks. (Foreign == not ours.)
>
> I'd like to see the following:
>
> Start time | Total bytes (highest to lowest) | Saddr | Daddr
>
> I'm still trying to get a clue about argus, as you can see.
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
More information about the argus
mailing list