Does the -Zb switch have some magic incantation?

Carter Bullard carter at qosient.com
Mon Oct 15 20:40:41 EDT 2012 

Hey Paul,
My bad, its the " state " field, not the status field.  I need to double check these answers before I fire them off.

  RA_FIELD_SPECIFIER="stime saddr daddr sport dport sbytes dbytes flgs state:16

Sorry for any inconvenience,

Carter

On Oct 15, 2012, at 8:28 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Paul,
> The -Zb option modifies the " status " field to print the TCP flags if they are available.
> So you need to add the " status " field to your RA_FIELD_SPECIFIER.  And give it some
> additional size from the default 4 chars.
> 
>   RA_FIELD_SPECIFIER="stime saddr daddr sport dport sbytes dbytes flgs status:16
> 
> Carter
> 
> On Oct 15, 2012, at 4:51 PM, Paul Schmehl <pschmehl_lists at tx.rr.com> wrote:
> 
>> I'm working on an rasqlinsert routine for feeding a database with argus data.  I have one last hurdle to overcome.
>> 
>> Here's my conf file:
>> RA_TIME_FORMAT="%G-%m-%d %T
>> RA_FIELD_SPECIFIER="stime saddr daddr sport dport sbytes dbytes flgs
>> RA_PRINT_NAMES="none"
>> 
>> When I run this commandline:
>> ra -Z b -F rasqlinsert.conf -r /var/data/nsm/argus/2012-10-14/argus.log.2012-10-14.16\:00\:00.bz2
>> 
>> It gives me this output:
>> 
>> 2012-10-14 12:00:14      184.72.15.121      129.110.10.35 36584  53 90          144  e
>> 2012-10-14 12:00:14        10.19.1.200     192.124.233.27 60844  80 2142         6038  e
>> 2012-10-14 12:00:14        10.19.1.200     192.124.233.27 60845  80 2763         1334  e
>> 2012-10-14 12:00:14      184.72.15.121      129.110.10.35 31152  53 90          106  e
>> 2012-10-14 12:00:14       10.174.48.37    171.161.148.172 45333  443 66           66  e
>> 2012-10-14 12:00:14       10.174.48.37    171.161.148.172 45338  443 66           66  e
>> 2012-10-14 12:00:14       10.174.48.37    171.161.148.172 45331  443 66           66  e
>> 2012-10-14 12:00:14       10.174.48.37    171.159.100.181 48308  443 66           66  e
>> 2012-10-14 12:00:14       10.160.75.17       50.31.149.59 54778  80 862          701  e
>> 2012-10-14 12:00:14      10.110.65.158     199.47.217.146 58944  80 245          293  e
>> 2012-10-14 12:00:14      69.175.54.106    129.110.180.172 50014  443 60            0  e
>> 2012-10-14 12:00:14        10.19.1.200       64.94.107.30 60847  80 694         2900  e
>> 2012-10-14 12:00:14        10.19.1.200       64.94.107.30 60846  80 694         2900  e i
>> 
>> But -Z b should be giving me S SA or PA PA, etc.  What am I doing wrong?
>> 
>> -- 
>> Paul Schmehl, Senior Infosec Analyst
>> As if it wasn't already obvious, my opinions
>> are my own and not those of my employer.
>> *******************************************
>> "It is as useless to argue with those who have
>> renounced the use of reason as to administer
>> medication to the dead." Thomas Jefferson
>> "There are some ideas so wrong that only a very
>> intelligent person could believe in them." George Orwell
>> 
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121015/c4c6d187/attachment.bin>

More information about the argus mailing list