Search filter, UDP, INT/CON, primitives + exit status

elof2 at sentor.se elof2 at sentor.se
Wed May 4 06:30:41 EDT 2011 

Regarding search filters and primitives...

I would like the possibility to use all the filter primitives on a per 
flow-direction basis, like "src est", "src syn" or "dst synack".


Some examples of how I'd like to be able to match:
"PA_PA" - src push and src ack and not src syn and not src fin and not src 
reset and dst push and dst ack and not dst syn and not dst fin and not dst
reset

"FSPA_" - src est and not dst est (detect incorrect SPAN setup where only
                                  one direction of the traffic is mirrored)
"_FSPA" - not src est and dst est (detect incorrect SPAN setup)

"*R_SPA*" - src est and src reset and dst est (detect connections that are 
reset (RST) by the client rather than terminated using FIN)

...and so on. Currently, this kind of detailed granularity can't be 
achieved internally in ra, so I have to use an external command like grep.




If the ra* tools also set an exit status depending on if there were any 
match or not, that would be fantastic! Then you could use something 
like this:

if ra -r huge_argus.log -qN1 - port 12345; then
   echo "Yes, port 12345 exist"
else
   echo "Nope, no port 12345 in huge_argus.log"
fi

/Elof


On Mon, 2 May 2011, Jesper Skou Jensen wrote:

> Excellent, it works Carter.
>
> Thank you for the help.
>
>
> -- 
>
>  Jesper S. Jensen
> UNI-C - Århus, Danmark
>
> On 29-04-2011 18:12, Carter Bullard wrote:
>> Hey gentle people,
>> OK, so I have fixed the 'con' filter item, and 'init' is now equivalent to 
>> 'start'.
>> There is some cleanup work to do on all these states, so if you see 
>> something that is amiss,
>> don't hesitate to send to the list.
>> 
>> This has uncovered a bug in argus, however.  argus() is reporting most 
>> records as 'status',
>> even thought they may be starting records or status records.  Which means, 
>> that currently,
>> some argus data is incomplete, and I have a bug to fix in argus().
>> The clients should be fine now.
>> 
>> I'll upload new client software in an hour or so.
>> 
>> Carter
>

More information about the argus mailing list