problems using ARGUS_OUTPUT_FILE and 'filter'
Russell Fulton
r.fulton at auckland.ac.nz
Wed May 9 00:48:50 EDT 2012
This gets weirder -- my argus instance on other sensors are also ignoring the filter on the ARGUS_OUTPUT_FILE line too. I just never noticed that I have a heap more flows than I should in all my argus files :(
Russell
On 9/05/2012, at 12:47 PM, Russell Fulton wrote:
> When I use this filter on the command line it works as expected but when applied in the -F argus.conf I get all sorts of stuff that I does not match the filter?
>
> argus-3.0.6.
>
> Makes no difference if I put the filter on the FILTER = or the ARGUS_OUTPUT_FILE.
>
> ARGUS_OUTPUT_FILE=/home/sensors/data/wireless/argus/user-data "tcp and src net ( 172.23.0.0/16 or 172.24.0.0/18 ) and not dst net ( 172.23.0.0/16 or 172.24.0.0/18 ) and dst port 80"
>
> see attached file...
>
> I've used this before often so I am very puzzled - on another sensor I have an identical config but with a ( 130.216.0.0/16 ) rather than the 172 addresses.
>
> Clearly I'm doing something stupid, but what?
>
> Any ideas?
>
> Russell
>
> PS:
>
> sample of captured flows with -F argus-user-data.conf (attached)
>
> 12:12:31.589938 e tcp 207.46.61.90.80 ?> 130.216.181.194.57572 1 60 RST
> 12:12:31.766180 e tcp 74.125.237.102.443 ?> 130.216.215.70.1629 1 60 RST
> 12:12:31.810594 e tcp 203.97.30.168.80 ?> 130.216.211.104.64352 1 60 RST
> 12:12:32.025105 e tcp 67.195.186.237.80 ?> 130.216.180.70.63388 1 60 RST
> 12:12:32.055496 e tcp 108.166.124.101.8081 ?> 130.216.185.49.49962 1 60 RST
> 12:12:32.284281 e tcp 203.167.141.160.80 ?> 130.216.45.214.50546 1 60 RST
> 12:12:32.128061 e tcp 203.167.141.160.80 ?> 130.216.235.214.3909 1 60 RST
> 12:12:32.313530 e tcp 74.125.237.103.443 ?> 130.216.215.70.1630 2 120 RST
> 12:12:32.407612 e tcp 157.56.52.37.443 ?> 130.216.138.119.55450 1 60 RST
> 12:12:32.419595 e tcp 203.97.30.166.443 ?> 130.216.138.180.56112 2 120 RST
> 12:12:33.058135 e tcp 203.167.141.160.80 ?> 130.216.64.209.49393 1 60 RST
> 12:12:33.125684 e tcp 193.1.122.17.80 ?> 130.216.109.13.1509 1 60 RST
> 12:12:33.216804 e tcp 96.7.131.235.80 ?> 130.216.73.113.62942 1 60 RST
> 12:12:32.840228 e tcp 203.97.30.172.80 ?> 130.216.211.104.64353 1 60 RST
>
> sample from
> sudo /usr/sbin/argus -w data/wireless/argus/user-data -i eth1 - tcp and src net \( 172.23.0.0/16 or 172.24.0.0/18 \) and not dst net \( 172.23.0.0/16 or 172.24.0.0/18 \) and dst port 80
>
> 12:30:11.657737 e tcp 172.23.210.58.52203 ?> 205.251.203.89.80 16 1056 CON
> 12:30:11.657816 e tcp 172.23.200.226.50630 ?> 208.117.254.157.80 43 4484 CON
> 12:30:11.658591 e tcp 172.23.63.238.62230 ?> 119.31.253.194.80 6 396 CON
> 12:30:11.658597 e tcp 172.23.189.245.63528 ?> 203.167.141.154.80 4 288 CON
> 12:30:11.658740 e tcp 172.23.51.133.56828 ?> 91.121.5.64.80 72 5732 CON
> 12:30:11.659003 e tcp 172.23.191.23.49648 ?> 208.43.117.186.80 105 151586 CON
> 12:30:11.659135 e tcp 172.23.97.109.54534 ?> 183.60.157.73.80 36 2410 CON
> 12:30:11.659852 e tcp 172.24.12.211.52737 ?> 205.196.120.161.80 50 3054 CON
> 12:30:11.659857 e tcp 172.24.12.211.52681 ?> 205.196.122.242.80 51 3060 CON
> 12:30:11.659868 e tcp 172.24.12.211.52750 ?> 199.91.152.194.80 43 2670 CON
> 12:30:11.659870 e tcp 172.24.12.211.52761 ?> 199.91.152.194.80 38 2316 CON
> 12:30:11.660339 e tcp 172.23.151.151.38450 ?> 188.132.173.12.80 22 1452 FIN
>
>
> <argus-user-data.conf>
>
More information about the argus
mailing list