ragrep newbie question ?
Carter Bullard
carter at qosient.com
Sun Mar 14 13:28:49 EDT 2010
Hey Julien,
ragrep() is obsolete. Use the newer argus-clients-3.0.2 programs, all of which allow
you to grep, using the "-e" option. so try:
ra -e "(http|https|ftp|get|post|head)" -r $src_log
with this you can specify source or destination data buffers etc....
Also, argus does not collect user data by default, you will need to run
argus with the "-U" option or configure it in your /etc/argus.conf file if
its not capturing.
The best way to verify is to printout user data buffers in the file you have:
ra -r $src_log -s +suser:64
Carter
On Mar 14, 2010, at 5:12 AM, julien wrote:
> Hello,
>
> I have a small problem with ragrep, that I recently begin to use
> following this paper
> http://www.rawpacket.org/anonymous/papers/Argus-PracticalBotNetDetection.pdf
>
> When I launch the following request:
>
> $ ragrep -z -i -e '(http|https|ftp|get|post|head)' -r $src_log - dst
> port 80 or dst port 443 or dst port 8080
> (same without filter)
>
> I get nothing. $src_log is an argus file converted from a pcap (with argus)
> In Ethereal, there is some http traffic and ragrep doesn't get it. why ?
> bad command line, pcap conversion or something else ?
>
> Thanks.
> Best regards,
>
> Julien
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100314/6f958a02/attachment.bin>
More information about the argus
mailing list