Argus doesn't collect packet data - only session data

Paul Schmehl pschmehl_lists at tx.rr.com
Mon Mar 5 18:01:31 EST 2012 

Arghh..knew there was something I was missing.....thanks, Carter.

--On March 5, 2012 5:29:17 PM -0500 Carter Bullard <carter at qosient.com> 
wrote:

> Hey Paul,
>
> You need to specify the "suser" and/or "duser" fields to print using the
> command line option "-s +suser +duser"
> or add these fields to your .rarc file in the RA_FIELD_SPECIFIER variable
> definition.
> Many options changed in the 3.x releases. Check out the man page, if in
> doubt.
>
>
> You may find that the newest code, argus-clients-3.0.5.34 works as well:
>    http://qosient.com/argus/dev/argus-clients-latest-tar.gz
>
>
> Hope this helps,
> Carter
>
>
>
>
>
>
>
> On Mar 5, 2012, at 4:55 PM, Paul Schmehl wrote:
>
>
> I'm setting up a new server, and I've run into a problem with argus.  No
> matter what I do, I can't seem to get it to collect user data.  It works
> fine on the old server.
>
> This is on FreeBSD 8.2.  Argus was built from ports and is version 3.0.4
> without SASL.
>
> Here's the argus.conf file:
>
> ARGUS_DAEMON=yes
> ARGUS_INTERFACE="bce1"
> ARGUS_OUTPUT_FILE=/var/data/nsm/argus/argus.log
> ARGUS_SET_PID=yes
> ARGUS_GO_PROMISCUOUS=yes
> ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
> ARGUS_GENERATE_MAC_DATA=yes
> ARGUS_FILTER="ip and not icmp"
> ARGUS_CAPTURE_DATA_LEN=800
>
> And here's the process running:
>
> root    94930 18.1  1.1 210416 189484  ??  Rs    8:48PM   0:41.79
> /usr/local/sbin/argus -F /usr/local/etc/argus.conf -F
> /usr/local/etc/argus.conf
>
> No matter what CAPTURE_DATA_LEN I use, this is what I get in the log:
>
> 20:53:03.717210  e         udp         10.21.1.49.59178    <->
> 74.200.191.77.domain        2        408   CON
>   20:53:03.718211  e         tcp     10.110.143.147.64634    <?>
> 205.203.132.65.http         13      10133   CON
>   20:53:03.718618  e         tcp     10.160.122.248.55405     ->
> 69.116.12.102.28550         3        213   CON
>   20:53:03.722132  e         tcp       10.21.21.177.56017     ->
> 218.6.12.180.http          3        180   RST
>   20:53:03.720056  e         tcp       71.71.229.73.12283     ->
> 129.110.94.160.http         11       1633   FIN
>   20:53:03.720769  e d       tcp       10.21.17.168.58421     ->
> 121.11.151.47.http        351     380622   CON
>   20:53:03.721078  e i       tcp       10.40.128.53.55652    <?>
> 10.110.47.178.ssh         171     108674   CON
>
> As you can see, no packet data at all.
>
> I've even tried using -U 800 on the commandline, but same results.
> Googling didn't help.



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

More information about the argus mailing list