Argus Freezes

[Carter Bullard]

Yes, but the idea is to get through the packets quickly using argus, then use
one of the ra* programs to merge the multiple status reports together.  If a
"single flow = single report" is your goal then, there are tools provided to help.

Look at using rasqlinsert(), if you have access to mysql.  The keyword is "-M cache"
as you read on how to use it.  If mysql is not available, use racluster() with a custom
racluster.conf file.  An example is in ./support/Config/racluster.conf.

The trick is to set aggressive idle timeout values so you can get short lived flows
out of the engine quickly.  Sometimes matching flows like (" src net not x.y.0.0/16")
(flows originated from outside) is enough to identify flows that should be timed out
quickly.

Carter

On Nov 15, 2010, at 12:42 PM, Sunjeet Singh wrote:

> Hi Carter, thanks for your response-
> 
> On 10-11-15 9:32 AM, Carter Bullard wrote:
>> 
>> Try running with a "-S 60" or "-S 5", and then take the output and process it using
>> racluster(), rabins() or rasqlinsert() to get your 1 status report per day.  racluster()
>> and rabins() do their aggregation in RAM.  rasqlinsert() provides a mechanism for
>> using the disk to aggregate very large numbers of flows.
>> 
> 
> But with a -S 60 or -S 5, don't I run the risk of having a single connection split and shown as multiple connections by Argus, especially in a DOS situation where the packets might arrive much slower than normal?
> 
> 
> Thank you,
> Sunjeet Singh
> 
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101115/371fcada/attachment.bin>