Request for improvement

[Paul Schmehl]

I'm working on a project the design of which is to insert datetime, srcip, 
dstip, srcport,dstport, sbytes,dbytes,state into a db.

We'll right a front end for this in php (probably) that allows us to answer 
questions like when was the first time this IP talked to a host on our 
network and what host was it.

Since the data are very small, searches should be very fast.

Along with that, we want to design it so that once you've located that 
initial conversation, you can pull up the packets from the argus files (we 
won't be storing payloads in the db) and view the actual payload so you can 
figure out what a host is up to.

So, we can take the info in the db and do something like this:

ra -t yyyy/mm/dd.HH:MM:SS -r /path/to/argus/file - host x.x.x.x and return 
the payloads for that host for that second (or time range)

In testing the -t switch I found it to be very fast in searching for the 
records, but there was something interesting about it.  Once it had found 
all the records, ra didn't exit.  It continued to search.

ISTM the software ought to be able to do something like this;

search for records with a certain timestamp
once it has a return, continue searching until 10 sequential records don't 
match, then exit.

Since timestamps are sequential, there's no point in continuing the search 
once they're found.  There's not going to be any more.

I'm not a programmer, but I imagine this wouldn't be too hard to code up - 
unless I'm unaware of some quirk that would make it very difficult.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell