Search filter, UDP, INT/CON
elof2 at sentor.se
elof2 at sentor.se
Thu Apr 28 10:26:59 EDT 2011
On Thu, 28 Apr 2011, Jesper Skou Jensen wrote:
> I'm trying to do a search for UDP packages that are INT, alternative not INT,
> but I can't quite figure out how to do this.
>
> Is it possible to do this with ra directly?
Hi Jesper!
I thought that a simple 'ra -r log.argus - udp and con' would do the
trick, but apparently not. :-(
The manual only state this:
Ra filter expressions support primitives that are specific to flow states
and can be used to select flow records that were in these states at the
time they were generated. normal, wait, timeout, est or con
Apparently, flows are only associated with tcp.
There seem to be no primitives for matching connected UDP connections.
A question related to the above:
What is the difference between 'est' and 'con' ?
Both seem to match the same thing, established TCP connections.
/Elof
More information about the argus
mailing list