convert argus logs to pcap files
Carter Bullard
carter at qosient.com
Fri Oct 8 16:59:30 EDT 2010
Hey Paul,
You can dump the user data using "-M encode32" and you'll see a hex dump. If you
need a different format, we can add more, without issue, just need a name for the format.
We also support "-M encode64", but not necessarily useful for you.
If you are interested in finding repeating patterns, you should use rauserdata(), as it
is designed to reveal patterns in user data buffers. It is not well documented, but it
works pretty good.
Wait until argus-client-3.0.3.19 hits the server this weekend before trying to use
rauserdata() or raservices(), as George reported a number of bugs that are now fixed.
Carter
On Oct 8, 2010, at 4:39 PM, Paul Schmehl wrote:
> Exactly. The header information is easy to get from argus, but the packet data is represented in ASCII. I'd like to see the hex so I can write content rules for snort. If I can spot a repeating pattern, I can write a rule for it and catch more infected hosts.
>
> --On Friday, October 08, 2010 16:19:57 -0400 Carter Bullard <carter at qosient.com> wrote:
>
>> Hey Paul,
>> We have flow record hex dumpers, and content hex dumpers already in the
>> libraries. Maybe we can already help you out.
>>
>> What is it you really want to do? Find hex patterns in user data to put into
>> snort?
>>
>> Carter
>>
>> On Oct 8, 2010, at 4:01 PM, Paul Schmehl wrote:
>>
>>> I want to do it so I can see the hex to write snort rules.
>>>
>>> --On Friday, October 08, 2010 15:48:50 -0400 Carter Bullard
>>> <carter at qosient.com> wrote:
>>>
>>>> Hey Guys,
>>>> Why would you want to do this?
>>>>
>>>> Carter
>>>>
>>>>
>>>>
>>>> On Oct 8, 2010, at 3:15 PM, George Jones wrote:
>>>>
>>>> I was wondering that myself.
>>>>
>>>> Best answers seem to be text2pcap from wireshark, and possibly some pythonic
>>>> thing
>>>> such as http://dirtbags.net/py-pcap.html
>>>>
>>>> ---George Jones
>>>>
>>>>
>>>> On Fri, Oct 8, 2010 at 2:54 PM, Paul Schmehl <pschmehl_lists at tx.rr.com>
>>>> wrote:
>>>>
>>>> Is there a way to do this?
>>>
>>>
>>>
>>> --
>>> Paul Schmehl, Senior Infosec Analyst
>>> As if it wasn't already obvious, my opinions
>>> are my own and not those of my employer.
>>> *******************************************
>>> "It is as useless to argue with those who have
>>> renounced the use of reason as to administer
>>> medication to the dead." Thomas Jefferson
>>> "There are some ideas so wrong that only a very
>>> intelligent person could believe in them." George Orwell
>>>
>>>
>>
>> Carter Bullard
>> CEO/President
>> QoSient, LLC
>> 150 E 57th Street Suite 12D
>> New York, New York 10022
>>
>> +1 212 588-9133 Phone
>> +1 212 588-9134 Fax
>>
>>
>>
>>
>
>
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
>
>
Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101008/45378ace/attachment.bin>
More information about the argus
mailing list