convert argus logs to pcap files

Paul Schmehl pschmehl_lists at tx.rr.com
Fri Oct 8 16:39:00 EDT 2010 

Exactly.  The header information is easy to get from argus, but the packet data 
is represented in ASCII.  I'd like to see the hex so I can write content rules 
for snort.  If I can spot a repeating pattern, I can write a rule for it and 
catch more infected hosts.

--On Friday, October 08, 2010 16:19:57 -0400 Carter Bullard 
<carter at qosient.com> wrote:

> Hey Paul,
> We have flow record hex dumpers, and content hex dumpers already in the
> libraries. Maybe we can already help you out.
>
> What is it you really want to do?  Find hex patterns in user data to put into
> snort?
>
> Carter
>
> On Oct 8, 2010, at 4:01 PM, Paul Schmehl wrote:
>
>> I want to do it so I can see the hex to write snort rules.
>>
>> --On Friday, October 08, 2010 15:48:50 -0400 Carter Bullard
>> <carter at qosient.com> wrote:
>>
>>> Hey Guys,
>>> Why would you want to do this?
>>>
>>> Carter
>>>
>>>
>>>
>>> On Oct 8, 2010, at 3:15 PM, George Jones wrote:
>>>
>>> I was wondering that myself.
>>>
>>> Best answers seem to be text2pcap from wireshark, and possibly some pythonic
>>> thing
>>> such as http://dirtbags.net/py-pcap.html
>>>
>>> ---George Jones
>>>
>>>
>>> On Fri, Oct 8, 2010 at 2:54 PM, Paul Schmehl <pschmehl_lists at tx.rr.com>
>>> wrote:
>>>
>>> Is there a way to do this?
>>
>>
>>
>> --
>> Paul Schmehl, Senior Infosec Analyst
>> As if it wasn't already obvious, my opinions
>> are my own and not those of my employer.
>> *******************************************
>> "It is as useless to argue with those who have
>> renounced the use of reason as to administer
>> medication to the dead." Thomas Jefferson
>> "There are some ideas so wrong that only a very
>> intelligent person could believe in them." George Orwell
>>
>>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York  10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
>



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

More information about the argus mailing list