Does the -Zb switch have some magic incantation?

Carter Bullard carter at qosient.com
Mon Oct 15 20:28:52 EDT 2012 

Hey Paul,
The -Zb option modifies the " status " field to print the TCP flags if they are available.
So you need to add the " status " field to your RA_FIELD_SPECIFIER.  And give it some
additional size from the default 4 chars.

   RA_FIELD_SPECIFIER="stime saddr daddr sport dport sbytes dbytes flgs status:16

Carter

On Oct 15, 2012, at 4:51 PM, Paul Schmehl <pschmehl_lists at tx.rr.com> wrote:

> I'm working on an rasqlinsert routine for feeding a database with argus data.  I have one last hurdle to overcome.
> 
> Here's my conf file:
> RA_TIME_FORMAT="%G-%m-%d %T
> RA_FIELD_SPECIFIER="stime saddr daddr sport dport sbytes dbytes flgs
> RA_PRINT_NAMES="none"
> 
> When I run this commandline:
> ra -Z b -F rasqlinsert.conf -r /var/data/nsm/argus/2012-10-14/argus.log.2012-10-14.16\:00\:00.bz2
> 
> It gives me this output:
> 
> 2012-10-14 12:00:14      184.72.15.121      129.110.10.35 36584  53 90          144  e
> 2012-10-14 12:00:14        10.19.1.200     192.124.233.27 60844  80 2142         6038  e
> 2012-10-14 12:00:14        10.19.1.200     192.124.233.27 60845  80 2763         1334  e
> 2012-10-14 12:00:14      184.72.15.121      129.110.10.35 31152  53 90          106  e
> 2012-10-14 12:00:14       10.174.48.37    171.161.148.172 45333  443 66           66  e
> 2012-10-14 12:00:14       10.174.48.37    171.161.148.172 45338  443 66           66  e
> 2012-10-14 12:00:14       10.174.48.37    171.161.148.172 45331  443 66           66  e
> 2012-10-14 12:00:14       10.174.48.37    171.159.100.181 48308  443 66           66  e
> 2012-10-14 12:00:14       10.160.75.17       50.31.149.59 54778  80 862          701  e
> 2012-10-14 12:00:14      10.110.65.158     199.47.217.146 58944  80 245          293  e
> 2012-10-14 12:00:14      69.175.54.106    129.110.180.172 50014  443 60            0  e
> 2012-10-14 12:00:14        10.19.1.200       64.94.107.30 60847  80 694         2900  e
> 2012-10-14 12:00:14        10.19.1.200       64.94.107.30 60846  80 694         2900  e i
> 
> But -Z b should be giving me S SA or PA PA, etc.  What am I doing wrong?
> 
> -- 
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121015/e06fa742/attachment.bin>

More information about the argus mailing list