Argus-info Digest, Vol 96, Issue 27

CS Lee geek00l at gmail.com
Sun Aug 11 21:53:53 EDT 2013


hi Dave,

I have experience where the filter doesn't work if it is in the mid of the
command line(been using argus on many platforms), therefore I always
practice the filter with the - after the rest of command argument as it
works on all platform, I think it's better to use best practice so we don't
need to worry about "does it work here, or there" kind of trouble.

Cheers ;)


On Mon, Aug 12, 2013 at 12:00 AM,
<argus-info-request at lists.andrew.cmu.edu>wrote:

> Send Argus-info mailing list submissions to
>         argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
>         argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
>         argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
>    1. Re:  Argus Client Command Line Arguments (David Edelman)
>    2. Re:  Argus Client Command Line Arguments (Carter Bullard)
>    3.  Argus on Security Onion (David Edelman)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 10 Aug 2013 20:21:37 -0400
> From: "David Edelman" <dedelman at iname.com>
> Subject: Re: [ARGUS] Argus Client Command Line Arguments
> To: "'Carter Bullard'" <carter at qosient.com>
> Cc: 'Argus' <argus-info at lists.andrew.cmu.edu>
> Message-ID: <087301ce9628$bf788d10$3e69a730$@iname.com>
> Content-Type: text/plain;       charset="us-ascii"
>
> I did a few more tests and it seem that the mid line  filter is being
> recognized correctly my 64-bit on FC 18 system.
>
> --Dave
>
>
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com]
> Sent: Saturday, August 10, 2013 10:02 AM
> To: David Edelman
> Cc: Argus
> Subject: Re: Argus Client Command Line Arguments
>
> Hey Dave,
> I think that this is incorrect, as a single - should be end of parameters
> and the beginning of the filter.  But getopt() on some Linux machines is
> using -- as a terminating condition now, which seems new(er) and may compel
> us to move to a double -- in our documentation.
>
> The real question is " does the filter work "?  On many systems
> it won't get parsed as a filter expression, as getopt() may see
> them as options to pass to the getopt() parameter parser.
> Our current logic is, anything after parsing options, pass as a filter.
>
> So this is not as it was intended...
> So how did you like is Richard's book ???
>
> Carter
>
> On Aug 9, 2013, at 7:03 PM, "David Edelman" <dedelman at iname.com> wrote:
>
> > Carter,
> >
> > In Richard Bejtlich's new book he does include examples of using Argus
> and
> > some of the clients but he consistently puts the BPF filter arguments in
> the
> > middle of the argument string preceded by the isolated minus sign e.g.:
> > # racluster -r filename.argus - tcp  and src port 80  -s +sappbytes
> >
> > I just attempted to do that on one of my systems and it does work. Is
> this
> > intended behavior that will be supported over the long term? I had always
> > considered the isolated minus sign as terminating option string
> processing.
> > If it is actually a non-terminal  escape from option processing  then the
> > current use makes sense.
> >
> > --Dave
> >
> >
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 10 Aug 2013 21:06:01 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] Argus Client Command Line Arguments
> To: David Edelman <dedelman at iname.com>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <AC973AF7-9092-40DF-A23D-AB65DC97DB4C at qosient.com>
> Content-Type: text/plain;       charset=us-ascii
>
> Well, I'm a much better programmer than I thought ;O)
> I don't expect it to work on all systems, so we'll have to
> keep an eye on bug reports !!!
>
> Carter
>
> On Aug 10, 2013, at 8:21 PM, "David Edelman" <dedelman at iname.com> wrote:
>
> > I did a few more tests and it seem that the mid line  filter is being
> > recognized correctly my 64-bit on FC 18 system.
> >
> > --Dave
> >
> >
> > -----Original Message-----
> > From: Carter Bullard [mailto:carter at qosient.com]
> > Sent: Saturday, August 10, 2013 10:02 AM
> > To: David Edelman
> > Cc: Argus
> > Subject: Re: Argus Client Command Line Arguments
> >
> > Hey Dave,
> > I think that this is incorrect, as a single - should be end of parameters
> > and the beginning of the filter.  But getopt() on some Linux machines is
> > using -- as a terminating condition now, which seems new(er) and may
> compel
> > us to move to a double -- in our documentation.
> >
> > The real question is " does the filter work "?  On many systems
> > it won't get parsed as a filter expression, as getopt() may see
> > them as options to pass to the getopt() parameter parser.
> > Our current logic is, anything after parsing options, pass as a filter.
> >
> > So this is not as it was intended...
> > So how did you like is Richard's book ???
> >
> > Carter
> >
> > On Aug 9, 2013, at 7:03 PM, "David Edelman" <dedelman at iname.com> wrote:
> >
> >> Carter,
> >>
> >> In Richard Bejtlich's new book he does include examples of using Argus
> and
> >> some of the clients but he consistently puts the BPF filter arguments in
> > the
> >> middle of the argument string preceded by the isolated minus sign e.g.:
> >> # racluster -r filename.argus - tcp  and src port 80  -s +sappbytes
> >>
> >> I just attempted to do that on one of my systems and it does work. Is
> this
> >> intended behavior that will be supported over the long term? I had
> always
> >> considered the isolated minus sign as terminating option string
> > processing.
> >> If it is actually a non-terminal  escape from option processing  then
> the
> >> current use makes sense.
> >>
> >> --Dave
> >
> >
>
>
> ------------------------------
>
> Message: 3
> Date: Sat, 10 Aug 2013 22:36:40 -0400
> From: "David Edelman" <dedelman at iname.com>
> Subject: [ARGUS] Argus on Security Onion
> To: "'Carter Bullard'" <carter at qosient.com>
> Cc: 'Argus' <argus-info at lists.andrew.cmu.edu>
> Message-ID: <087601ce963b$9d400b20$d7c02160$@iname.com>
> Content-Type: text/plain;       charset="us-ascii"
>
> I've spent a little bit of time playing with the Security Onion
> distribution
> and it's pretty good. Of course, it doesn't use the Argus development code
> branch (I'll fix that on my copy :) ) and it is very basic in its approach
> to the way it deals with Argus data. It creates a single output file per
> day
> and there aren't any options that I have been able to find to change that.
>
> I do know how Argus gets started (and restarted) and I'll just modify that
> to check for the availability of an argus.conf file. If the file exists,
> I'll use it otherwise I'll use the BFI (Brute Force and Ignorance)
> mechanism
> that already exists. SO makes extensive use of MySQL so I don't see any
> reason to not use the
> argus->radium->rastream/rasqlinsert-1/rasqlinsert-2/whatever approach. I
> promise to keep the BPF stuff at the end of my command lines.
>
> I'll let you know  if I see folks with torches coming my way.
>
> --Dave
>
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com]
> Sent: Saturday, August 10, 2013 9:06 PM
> To: David Edelman
> Cc: Argus
> Subject: Re: Argus Client Command Line Arguments
>
> Well, I'm a much better programmer than I thought ;O)
> I don't expect it to work on all systems, so we'll have to
> keep an eye on bug reports !!!
>
> Carter
>
> On Aug 10, 2013, at 8:21 PM, "David Edelman" <dedelman at iname.com> wrote:
>
> > I did a few more tests and it seem that the mid line  filter is being
> > recognized correctly my 64-bit on FC 18 system.
> >
> > --Dave
> >
> >
> > -----Original Message-----
> > From: Carter Bullard [mailto:carter at qosient.com]
> > Sent: Saturday, August 10, 2013 10:02 AM
> > To: David Edelman
> > Cc: Argus
> > Subject: Re: Argus Client Command Line Arguments
> >
> > Hey Dave,
> > I think that this is incorrect, as a single - should be end of parameters
> > and the beginning of the filter.  But getopt() on some Linux machines is
> > using -- as a terminating condition now, which seems new(er) and may
> compel
> > us to move to a double -- in our documentation.
> >
> > The real question is " does the filter work "?  On many systems
> > it won't get parsed as a filter expression, as getopt() may see
> > them as options to pass to the getopt() parameter parser.
> > Our current logic is, anything after parsing options, pass as a filter.
> >
> > So this is not as it was intended...
> > So how did you like is Richard's book ???
> >
> > Carter
> >
> > On Aug 9, 2013, at 7:03 PM, "David Edelman" <dedelman at iname.com> wrote:
> >
> >> Carter,
> >>
> >> In Richard Bejtlich's new book he does include examples of using Argus
> and
> >> some of the clients but he consistently puts the BPF filter arguments in
> > the
> >> middle of the argument string preceded by the isolated minus sign e.g.:
> >> # racluster -r filename.argus - tcp  and src port 80  -s +sappbytes
> >>
> >> I just attempted to do that on one of my systems and it does work. Is
> this
> >> intended behavior that will be supported over the long term? I had
> always
> >> considered the isolated minus sign as terminating option string
> > processing.
> >> If it is actually a non-terminal  escape from option processing  then
> the
> >> current use makes sense.
> >>
> >> --Dave
> >
> >
>
>
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 96, Issue 27
> ******************************************
>



-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130812/8f63743e/attachment.html>


More information about the argus mailing list