convert argus logs to pcap files

Fri Oct 8 18:24:01 EDT 2010

That's perfect.  Thanks.

Should be in the man page, but isn't.  :-)

--On Friday, October 08, 2010 16:59:30 -0400 Carter Bullard 
<carter at qosient.com> wrote:

> Hey Paul,
> You can dump the user data using "-M encode32" and you'll see a hex dump.  If
> you need a different format, we can add more, without issue, just need a name
> for the format. We also support "-M encode64", but not necessarily useful for
> you.
>
> If you are interested in finding repeating patterns, you should use
> rauserdata(), as it  is designed to reveal patterns in user data buffers.  It
> is not well documented, but it works pretty good.
>
> Wait until argus-client-3.0.3.19 hits the server this weekend before trying
> to use rauserdata() or raservices(), as George reported a number of bugs that
> are now fixed.
>
> Carter
>
>
> On Oct 8, 2010, at 4:39 PM, Paul Schmehl wrote:
>
>> Exactly.  The header information is easy to get from argus, but the packet
>> data is represented in ASCII.  I'd like to see the hex so I can write
>> content rules for snort.  If I can spot a repeating pattern, I can write a
>> rule for it and catch more infected hosts.
>>
>> --On Friday, October 08, 2010 16:19:57 -0400 Carter Bullard
>> <carter at qosient.com> wrote:
>>
>>> Hey Paul,
>>> We have flow record hex dumpers, and content hex dumpers already in the
>>> libraries. Maybe we can already help you out.
>>>
>>> What is it you really want to do?  Find hex patterns in user data to put
>>> into snort?
>>>
>>> Carter
>>>
>>> On Oct 8, 2010, at 4:01 PM, Paul Schmehl wrote:
>>>
>>>> I want to do it so I can see the hex to write snort rules.
>>>>
>>>> --On Friday, October 08, 2010 15:48:50 -0400 Carter Bullard
>>>> <carter at qosient.com> wrote:
>>>>
>>>>> Hey Guys,
>>>>> Why would you want to do this?
>>>>>
>>>>> Carter
>>>>>
>>>>>
>>>>>
>>>>> On Oct 8, 2010, at 3:15 PM, George Jones wrote:
>>>>>
>>>>> I was wondering that myself.
>>>>>
>>>>> Best answers seem to be text2pcap from wireshark, and possibly some
>>>>> pythonic thing
>>>>> such as http://dirtbags.net/py-pcap.html
>>>>>
>>>>> ---George Jones
>>>>>
>>>>>
>>>>> On Fri, Oct 8, 2010 at 2:54 PM, Paul Schmehl <pschmehl_lists at tx.rr.com>
>>>>> wrote:
>>>>>
>>>>> Is there a way to do this?
>>>>
>>>>
>>>>
>>>> --
>>>> Paul Schmehl, Senior Infosec Analyst
>>>> As if it wasn't already obvious, my opinions
>>>> are my own and not those of my employer.
>>>> *******************************************
>>>> "It is as useless to argue with those who have
>>>> renounced the use of reason as to administer
>>>> medication to the dead." Thomas Jefferson
>>>> "There are some ideas so wrong that only a very
>>>> intelligent person could believe in them." George Orwell
>>>>
>>>>
>>>
>>> Carter Bullard
>>> CEO/President
>>> QoSient, LLC
>>> 150 E 57th Street Suite 12D
>>> New York, New York  10022
>>>
>>> +1 212 588-9133 Phone
>>> +1 212 588-9134 Fax
>>>
>>>
>>>
>>>
>>
>>
>>
>> --
>> Paul Schmehl, Senior Infosec Analyst
>> As if it wasn't already obvious, my opinions
>> are my own and not those of my employer.
>> *******************************************
>> "It is as useless to argue with those who have
>> renounced the use of reason as to administer
>> medication to the dead." Thomas Jefferson
>> "There are some ideas so wrong that only a very
>> intelligent person could believe in them." George Orwell
>>
>>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York  10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
>

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell