Does the -Zb switch have some magic incantation?

Paul Schmehl pschmehl_lists at tx.rr.com
Tue Oct 16 11:04:41 EDT 2012 

Thanks, Carter.  That did the trick.

--On October 15, 2012 8:40:41 PM -0400 Carter Bullard <carter at qosient.com> 
wrote:

> Hey Paul,
> My bad, its the " state " field, not the status field.  I need to double
> check these answers before I fire them off.
>
>   RA_FIELD_SPECIFIER="stime saddr daddr sport dport sbytes dbytes flgs
> state:16
>
> Sorry for any inconvenience,
>
> Carter
>
> On Oct 15, 2012, at 8:28 PM, Carter Bullard <carter at qosient.com> wrote:
>
>> Hey Paul,
>> The -Zb option modifies the " status " field to print the TCP flags if
>> they are available. So you need to add the " status " field to your
>> RA_FIELD_SPECIFIER.  And give it some additional size from the default 4
>> chars.
>>
>>   RA_FIELD_SPECIFIER="stime saddr daddr sport dport sbytes dbytes flgs
>>   status:16
>>
>> Carter
>>
>> On Oct 15, 2012, at 4:51 PM, Paul Schmehl <pschmehl_lists at tx.rr.com>
>> wrote:
>>
>>> I'm working on an rasqlinsert routine for feeding a database with argus
>>> data.  I have one last hurdle to overcome.
>>>
>>> Here's my conf file:
>>> RA_TIME_FORMAT="%G-%m-%d %T
>>> RA_FIELD_SPECIFIER="stime saddr daddr sport dport sbytes dbytes flgs
>>> RA_PRINT_NAMES="none"
>>>
>>> When I run this commandline:
>>> ra -Z b -F rasqlinsert.conf -r
>>> /var/data/nsm/argus/2012-10-14/argus.log.2012-10-14.16\:00\:00.bz2
>>>
>>> It gives me this output:
>>>
>>> 2012-10-14 12:00:14      184.72.15.121      129.110.10.35 36584  53 90
>>> 144  e 2012-10-14 12:00:14        10.19.1.200     192.124.233.27 60844
>>> 80 2142         6038  e 2012-10-14 12:00:14        10.19.1.200
>>> 192.124.233.27 60845  80 2763         1334  e 2012-10-14 12:00:14
>>> 184.72.15.121      129.110.10.35 31152  53 90          106  e
>>> 2012-10-14 12:00:14       10.174.48.37    171.161.148.172 45333  443 66
>>> 66  e 2012-10-14 12:00:14       10.174.48.37    171.161.148.172 45338
>>> 443 66           66  e 2012-10-14 12:00:14       10.174.48.37
>>> 171.161.148.172 45331  443 66           66  e 2012-10-14 12:00:14
>>> 10.174.48.37    171.159.100.181 48308  443 66           66  e
>>> 2012-10-14 12:00:14       10.160.75.17       50.31.149.59 54778  80 862
>>> 701  e 2012-10-14 12:00:14      10.110.65.158     199.47.217.146 58944
>>> 80 245          293  e 2012-10-14 12:00:14      69.175.54.106
>>> 129.110.180.172 50014  443 60            0  e 2012-10-14 12:00:14
>>> 10.19.1.200       64.94.107.30 60847  80 694         2900  e 2012-10-14
>>> 12:00:14        10.19.1.200       64.94.107.30 60846  80 694
>>> 2900  e i
>>>
>>> But -Z b should be giving me S SA or PA PA, etc.  What am I doing wrong?
>>>
>>> --
>>> Paul Schmehl, Senior Infosec Analyst
>>> As if it wasn't already obvious, my opinions
>>> are my own and not those of my employer.
>>> *******************************************
>>> "It is as useless to argue with those who have
>>> renounced the use of reason as to administer
>>> medication to the dead." Thomas Jefferson
>>> "There are some ideas so wrong that only a very
>>> intelligent person could believe in them." George Orwell
>>>
>>>
>>
>
>



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

More information about the argus mailing list