Fwd: Argus Bind to multiple interfaces

Carter Bullard carter at qosient.com
Tue Oct 12 19:13:32 EDT 2010 

Hey Neslog,
So the support in argus.conf for the ARGUS_BIND_IP variable in argus-3.0.4 will read:

# When remote access is enabled (see above), you can specify that Argus
# should bind only to a specific IP address. This is useful, for example,
# in restricting access to the local host, or binding to a private
# interface while capturing from another.
#
# You can provide multiple addresses, separated by commas, or on multiple lines.
#
# The default is to bind to any IP address.
#
# Commandline equivalent  -B
#

#ARGUS_BIND_IP="::1,127.0.0.1"
#ARGUS_BIND_IP="127.0.0.1"
#ARGUS_BIND_IP="192.168.0.68"

Notice the "," in the first example.

This works with argus-3.0.3.18, which I'll upload later tonight/tomorrow.
This should be working with other releases, but I know it seems to wor
in the new one.

Carter

On Oct 10, 2010, at 8:22 AM, Neslog wrote:

> I'll give that a try.  Is there support using the argus.conf?  I'm running 20+ argi and collect logs locally and remotely.  Since it's a very dynamic environment I'm trying to avoid touching each sensor build before deployment.  
> 
> Thanks in advance,
> 
> Jeff
> 
> On Fri, Oct 8, 2010 at 5:10 PM, Carter Bullard <carter at qosient.com> wrote:
> 
> Begin forwarded message:
> 
>> From: Carter Bullard <carter at qosient.com>
>> Date: October 8, 2010 5:10:16 PM EDT
>> To: Neslog <neslog at gmail.com>
>> Subject: Re: Argus Bind to multiple interfaces
>> 
>> Hey Jeff,
>> Using argus-3.0.3.17 I can run it like this and I get this type of debug information:
>> 
>>   argus -X -D2 -B 192.168.0.68 -B 127.0.0.1 -P 10236
>> 
>> argus[57068.20dcd670ff7f0000]: 08 Oct 10 17:07:14.937489 ArgusNewModeler() returning 0x100800800
>> argus[57068.20dcd670ff7f0000]: 08 Oct 10 17:07:14.937769 ArgusNewOutput() returning retn 0x200250
>> argus[57068.20dcd670ff7f0000]: 08 Oct 10 17:07:14.937806 setArgusID(0x100300030, 0x0) done
>> argus[57068.20dcd670ff7f0000]: 08 Oct 10 17:07:14.937821 setArgusPortNum(0) returning
>> argus[57068.20dcd670ff7f0000]: 08 Oct 10 17:07:14.937830 clearArgusConfiguration () returning
>> argus[57068.20dcd670ff7f0000]: 08 Oct 10 17:07:14.937842 setArgusPortNum(10234) returning
>> argus[57068.20dcd670ff7f0000]: 08 Oct 10 17:07:14.937851 setArgusInterfaceStatus(0x100300000, 1)
>> argus[57068.20dcd670ff7f0000]: 08 Oct 10 17:07:14.938213 ArgusEstablishListen(0x100200250, 0x7fff5fbfe3e0) binding: 192.168.0.68:10234 family: 2
>> argus[57068.20dcd670ff7f0000]: 08 Oct 10 17:07:14.938254 ArgusEstablishListen(0x100200250, 0x7fff5fbfe3e0) binding: 127.0.0.1:10234 family: 2
>> argus[57068.20dcd670ff7f0000]: 08 Oct 10 17:07:14.938269 ArgusEstablishListen(0x100200250, 0x7fff5fbfe3e0) returning 4
>> argus[57068.20dcd670ff7f0000]: 08 Oct 10 17:07:14.938304 ArgusInitOutput() done
>> argus[57068]: 08 Oct 10 17:07:14.940585 started
>> 
>> 
>> So, it should work for you.  You can accomplish the same task with multiple ARGUS_BIND_IP directives
>> in the /etc/argus.conf.
>> 
>> Carter
>> 
>> On Oct 4, 2010, at 1:36 PM, Neslog wrote:
>> 
>>> Carter,
>>> 
>>> Did you put in the option for the Argus daemon to bind to an IP and localhost via 127.0.0.1?  Would this be difficult to achieve?
>>> 
>>> Jeff
>> 
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101012/39d922de/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101012/39d922de/attachment.bin>

More information about the argus mailing list