gerth at graphics.stanford.edu
Fri Dec 14 17:10:52 EST 2012
On 12/14/2012 1:31 PM, Craig Merchant wrote:
> What client tools do I need to use to look for keystroke detection in encrypted sessions?
There are two facets to SSH keystroke detection:
(1) telling the sensor to look for keystrokes in argus.conf
(2) extracting the gathered keystroke data from argus records
The ra client fieldname for keystrokes is "nstroke"
which you can use as an output field specifier and in filters.
For example, to add nstroke to the output and only print records with keystrokes
ra ... -s +nstroke .... - nstroke gt 0
(if you want nstroke to print by default add it to RA_FIELD_SPECIFIER)
John Gerth gerth at graphics.stanford.edu Gates 378 (650) 725-3273 fax 725-6949
More information about the argus