Argus-info Digest, Vol 96, Issue 27

David Edelman dedelman at iname.com
Mon Aug 12 22:55:59 EDT 2013 

I agree with the maxim of be liberal about what you accept and conservative
about what you send, it makes life easier for all involved. It's also why I
very frequently use -X to get to a known state before I try anything for the
first time.
 
Unfortunately, there are a bunch of people who have seen the BPF parameters
work even when they are not at the end of the command line and they will
come to anticipate it as normal behavior. I guess that  we could mention
this to Richard for an errata entry.
 
---Dave
 
 
From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of CS Lee
Sent: Sunday, August 11, 2013 9:54 PM
To: Argus
Subject: Re: [ARGUS] Argus-info Digest, Vol 96, Issue 27
 
hi Dave,
 
I have experience where the filter doesn't work if it is in the mid of the
command line(been using argus on many platforms), therefore I always
practice the filter with the - after the rest of command argument as it
works on all platform, I think it's better to use best practice so we don't
need to worry about "does it work here, or there" kind of trouble.
 
Cheers ;)
 
On Mon, Aug 12, 2013 at 12:00 AM, <argus-info-request at lists.andrew.cmu.edu
<mailto:argus-info-request at lists.andrew.cmu.edu> > wrote:
Send Argus-info mailing list submissions to
        argus-info at lists.andrew.cmu.edu
<mailto:argus-info at lists.andrew.cmu.edu> 

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
or, via email, send a message with subject or body 'help' to
        argus-info-request at lists.andrew.cmu.edu
<mailto:argus-info-request at lists.andrew.cmu.edu> 

You can reach the person managing the list at
        argus-info-owner at lists.andrew.cmu.edu
<mailto:argus-info-owner at lists.andrew.cmu.edu> 

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Argus-info digest..."


Today's Topics:

   1. Re:  Argus Client Command Line Arguments (David Edelman)
   2. Re:  Argus Client Command Line Arguments (Carter Bullard)
   3.  Argus on Security Onion (David Edelman)


----------------------------------------------------------------------

Message: 1
Date: Sat, 10 Aug 2013 20:21:37 -0400
From: "David Edelman" <dedelman at iname.com <mailto:dedelman at iname.com> >
Subject: Re: [ARGUS] Argus Client Command Line Arguments
To: "'Carter Bullard'" <carter at qosient.com <mailto:carter at qosient.com> >
Cc: 'Argus' <argus-info at lists.andrew.cmu.edu
<mailto:argus-info at lists.andrew.cmu.edu> >
Message-ID: <087301ce9628$bf788d10$3e69a730$@iname.com <http://iname.com> >
Content-Type: text/plain;       charset="us-ascii"

I did a few more tests and it seem that the mid line  filter is being
recognized correctly my 64-bit on FC 18 system.

--Dave


-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com <mailto:carter at qosient.com>
]
Sent: Saturday, August 10, 2013 10:02 AM
To: David Edelman
Cc: Argus
Subject: Re: Argus Client Command Line Arguments

Hey Dave,
I think that this is incorrect, as a single - should be end of parameters
and the beginning of the filter.  But getopt() on some Linux machines is
using -- as a terminating condition now, which seems new(er) and may compel
us to move to a double -- in our documentation.

The real question is " does the filter work "?  On many systems
it won't get parsed as a filter expression, as getopt() may see
them as options to pass to the getopt() parameter parser.
Our current logic is, anything after parsing options, pass as a filter.

So this is not as it was intended...
So how did you like is Richard's book ???

Carter

On Aug 9, 2013, at 7:03 PM, "David Edelman" <dedelman at iname.com
<mailto:dedelman at iname.com> > wrote:

> Carter,
>
> In Richard Bejtlich's new book he does include examples of using Argus and
> some of the clients but he consistently puts the BPF filter arguments in
the
> middle of the argument string preceded by the isolated minus sign e.g.:
> # racluster -r filename.argus - tcp  and src port 80  -s +sappbytes
>
> I just attempted to do that on one of my systems and it does work. Is this
> intended behavior that will be supported over the long term? I had always
> considered the isolated minus sign as terminating option string
processing.
> If it is actually a non-terminal  escape from option processing  then the
> current use makes sense.
>
> --Dave
>
>



------------------------------

Message: 2
Date: Sat, 10 Aug 2013 21:06:01 -0400
From: Carter Bullard <carter at qosient.com <mailto:carter at qosient.com> >
Subject: Re: [ARGUS] Argus Client Command Line Arguments
To: David Edelman <dedelman at iname.com <mailto:dedelman at iname.com> >
Cc: Argus <argus-info at lists.andrew.cmu.edu
<mailto:argus-info at lists.andrew.cmu.edu> >
Message-ID: <AC973AF7-9092-40DF-A23D-AB65DC97DB4C at qosient.com
<mailto:AC973AF7-9092-40DF-A23D-AB65DC97DB4C at qosient.com> >
Content-Type: text/plain;       charset=us-ascii

Well, I'm a much better programmer than I thought ;O)
I don't expect it to work on all systems, so we'll have to
keep an eye on bug reports !!!

Carter

On Aug 10, 2013, at 8:21 PM, "David Edelman" <dedelman at iname.com
<mailto:dedelman at iname.com> > wrote:

> I did a few more tests and it seem that the mid line  filter is being
> recognized correctly my 64-bit on FC 18 system.
>
> --Dave
>
>
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com
<mailto:carter at qosient.com> ]
> Sent: Saturday, August 10, 2013 10:02 AM
> To: David Edelman
> Cc: Argus
> Subject: Re: Argus Client Command Line Arguments
>
> Hey Dave,
> I think that this is incorrect, as a single - should be end of parameters
> and the beginning of the filter.  But getopt() on some Linux machines is
> using -- as a terminating condition now, which seems new(er) and may
compel
> us to move to a double -- in our documentation.
>
> The real question is " does the filter work "?  On many systems
> it won't get parsed as a filter expression, as getopt() may see
> them as options to pass to the getopt() parameter parser.
> Our current logic is, anything after parsing options, pass as a filter.
>
> So this is not as it was intended...
> So how did you like is Richard's book ???
>
> Carter
>
> On Aug 9, 2013, at 7:03 PM, "David Edelman" <dedelman at iname.com
<mailto:dedelman at iname.com> > wrote:
>
>> Carter,
>>
>> In Richard Bejtlich's new book he does include examples of using Argus
and
>> some of the clients but he consistently puts the BPF filter arguments in
> the
>> middle of the argument string preceded by the isolated minus sign e.g.:
>> # racluster -r filename.argus - tcp  and src port 80  -s +sappbytes
>>
>> I just attempted to do that on one of my systems and it does work. Is
this
>> intended behavior that will be supported over the long term? I had always
>> considered the isolated minus sign as terminating option string
> processing.
>> If it is actually a non-terminal  escape from option processing  then the
>> current use makes sense.
>>
>> --Dave
>
>


------------------------------

Message: 3
Date: Sat, 10 Aug 2013 22:36:40 -0400
From: "David Edelman" <dedelman at iname.com <mailto:dedelman at iname.com> >
Subject: [ARGUS] Argus on Security Onion
To: "'Carter Bullard'" <carter at qosient.com <mailto:carter at qosient.com> >
Cc: 'Argus' <argus-info at lists.andrew.cmu.edu
<mailto:argus-info at lists.andrew.cmu.edu> >
Message-ID: <087601ce963b$9d400b20$d7c02160$@iname.com <http://iname.com> >
Content-Type: text/plain;       charset="us-ascii"

I've spent a little bit of time playing with the Security Onion distribution
and it's pretty good. Of course, it doesn't use the Argus development code
branch (I'll fix that on my copy :) ) and it is very basic in its approach
to the way it deals with Argus data. It creates a single output file per day
and there aren't any options that I have been able to find to change that.

I do know how Argus gets started (and restarted) and I'll just modify that
to check for the availability of an argus.conf file. If the file exists,
I'll use it otherwise I'll use the BFI (Brute Force and Ignorance) mechanism
that already exists. SO makes extensive use of MySQL so I don't see any
reason to not use the
argus->radium->rastream/rasqlinsert-1/rasqlinsert-2/whatever approach. I
promise to keep the BPF stuff at the end of my command lines.

I'll let you know  if I see folks with torches coming my way.

--Dave

-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com <mailto:carter at qosient.com>
]
Sent: Saturday, August 10, 2013 9:06 PM
To: David Edelman
Cc: Argus
Subject: Re: Argus Client Command Line Arguments

Well, I'm a much better programmer than I thought ;O)
I don't expect it to work on all systems, so we'll have to
keep an eye on bug reports !!!

Carter

On Aug 10, 2013, at 8:21 PM, "David Edelman" <dedelman at iname.com
<mailto:dedelman at iname.com> > wrote:

> I did a few more tests and it seem that the mid line  filter is being
> recognized correctly my 64-bit on FC 18 system.
>
> --Dave
>
>
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com
<mailto:carter at qosient.com> ]
> Sent: Saturday, August 10, 2013 10:02 AM
> To: David Edelman
> Cc: Argus
> Subject: Re: Argus Client Command Line Arguments
>
> Hey Dave,
> I think that this is incorrect, as a single - should be end of parameters
> and the beginning of the filter.  But getopt() on some Linux machines is
> using -- as a terminating condition now, which seems new(er) and may
compel
> us to move to a double -- in our documentation.
>
> The real question is " does the filter work "?  On many systems
> it won't get parsed as a filter expression, as getopt() may see
> them as options to pass to the getopt() parameter parser.
> Our current logic is, anything after parsing options, pass as a filter.
>
> So this is not as it was intended...
> So how did you like is Richard's book ???
>
> Carter
>
> On Aug 9, 2013, at 7:03 PM, "David Edelman" <dedelman at iname.com
<mailto:dedelman at iname.com> > wrote:
>
>> Carter,
>>
>> In Richard Bejtlich's new book he does include examples of using Argus
and
>> some of the clients but he consistently puts the BPF filter arguments in
> the
>> middle of the argument string preceded by the isolated minus sign e.g.:
>> # racluster -r filename.argus - tcp  and src port 80  -s +sappbytes
>>
>> I just attempted to do that on one of my systems and it does work. Is
this
>> intended behavior that will be supported over the long term? I had always
>> considered the isolated minus sign as terminating option string
> processing.
>> If it is actually a non-terminal  escape from option processing  then the
>> current use makes sense.
>>
>> --Dave
>
>



------------------------------

_______________________________________________
Argus-info mailing list
Argus-info at lists.andrew.cmu.edu <mailto:Argus-info at lists.andrew.cmu.edu> 
https://lists.andrew.cmu.edu/mailman/listinfo/argus-info


End of Argus-info Digest, Vol 96, Issue 27
******************************************



 
-- 
Best Regards,

CS Lee<geek00L[at]gmail.com <http://gmail.com> >

http://geek00l.blogspot.com
http://defcraft.net 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130812/88d06e88/attachment.html>

More information about the argus mailing list