problems using ARGUS_OUTPUT_FILE and 'filter'

Russell Fulton r.fulton at auckland.ac.nz
Wed May 9 00:48:50 EDT 2012


This gets weirder -- my argus instance on other sensors are also ignoring the filter on the ARGUS_OUTPUT_FILE line too.  I just never noticed that I have a heap more flows than I should in all my argus files :(

Russell


On 9/05/2012, at 12:47 PM, Russell Fulton wrote:

> When I use this filter on the command line it works as expected but when applied in the -F argus.conf I get all sorts of stuff that I does not match the filter?
> 
> argus-3.0.6.
> 
> Makes no difference if I put the filter on the FILTER = or the ARGUS_OUTPUT_FILE.
> 
> ARGUS_OUTPUT_FILE=/home/sensors/data/wireless/argus/user-data "tcp and src net ( 172.23.0.0/16 or 172.24.0.0/18 ) and not dst net ( 172.23.0.0/16 or 172.24.0.0/18 )  and dst port 80"
> 
> see attached file...
> 
> I've used this before often so I am very puzzled - on another sensor I have an identical config but with a ( 130.216.0.0/16 )  rather than the 172 addresses.
> 
> Clearly I'm doing something stupid, but what?
> 
> Any ideas?
> 
> Russell
> 
> PS:
> 
> sample of captured flows with -F argus-user-data.conf (attached)
> 
>   12:12:31.589938  e         tcp       207.46.61.90.80        ?>    130.216.181.194.57572         1         60   RST
>   12:12:31.766180  e         tcp     74.125.237.102.443       ?>     130.216.215.70.1629          1         60   RST
>   12:12:31.810594  e         tcp      203.97.30.168.80        ?>    130.216.211.104.64352         1         60   RST
>   12:12:32.025105  e         tcp     67.195.186.237.80        ?>     130.216.180.70.63388         1         60   RST
>   12:12:32.055496  e         tcp    108.166.124.101.8081      ?>     130.216.185.49.49962         1         60   RST
>   12:12:32.284281  e         tcp    203.167.141.160.80        ?>     130.216.45.214.50546         1         60   RST
>   12:12:32.128061  e         tcp    203.167.141.160.80        ?>    130.216.235.214.3909          1         60   RST
>   12:12:32.313530  e         tcp     74.125.237.103.443       ?>     130.216.215.70.1630          2        120   RST
>   12:12:32.407612  e         tcp       157.56.52.37.443       ?>    130.216.138.119.55450         1         60   RST
>   12:12:32.419595  e         tcp      203.97.30.166.443       ?>    130.216.138.180.56112         2        120   RST
>   12:12:33.058135  e         tcp    203.167.141.160.80        ?>     130.216.64.209.49393         1         60   RST
>   12:12:33.125684  e         tcp       193.1.122.17.80        ?>     130.216.109.13.1509          1         60   RST
>   12:12:33.216804  e         tcp       96.7.131.235.80        ?>     130.216.73.113.62942         1         60   RST
>   12:12:32.840228  e         tcp      203.97.30.172.80        ?>    130.216.211.104.64353         1         60   RST
> 
> sample from
> sudo /usr/sbin/argus -w  data/wireless/argus/user-data -i eth1 - tcp and src net \( 172.23.0.0/16 or 172.24.0.0/18 \) and not dst net \( 172.23.0.0/16 or 172.24.0.0/18 \)  and dst port 80
> 
>   12:30:11.657737  e         tcp      172.23.210.58.52203     ?>     205.251.203.89.80           16       1056   CON
>   12:30:11.657816  e         tcp     172.23.200.226.50630     ?>    208.117.254.157.80           43       4484   CON
>   12:30:11.658591  e         tcp      172.23.63.238.62230     ?>     119.31.253.194.80            6        396   CON
>   12:30:11.658597  e         tcp     172.23.189.245.63528     ?>    203.167.141.154.80            4        288   CON
>   12:30:11.658740  e         tcp      172.23.51.133.56828     ?>        91.121.5.64.80           72       5732   CON
>   12:30:11.659003  e         tcp      172.23.191.23.49648     ?>     208.43.117.186.80          105     151586   CON
>   12:30:11.659135  e         tcp      172.23.97.109.54534     ?>      183.60.157.73.80           36       2410   CON
>   12:30:11.659852  e         tcp      172.24.12.211.52737     ?>    205.196.120.161.80           50       3054   CON
>   12:30:11.659857  e         tcp      172.24.12.211.52681     ?>    205.196.122.242.80           51       3060   CON
>   12:30:11.659868  e         tcp      172.24.12.211.52750     ?>     199.91.152.194.80           43       2670   CON
>   12:30:11.659870  e         tcp      172.24.12.211.52761     ?>     199.91.152.194.80           38       2316   CON
>   12:30:11.660339  e         tcp     172.23.151.151.38450     ?>     188.132.173.12.80           22       1452   FIN
> 
> 
> <argus-user-data.conf>
> 




More information about the argus mailing list