Two questions

[Carter Bullard]

Hey Craig,
The bash shell is getting in the way, and is trying to convert your " !whitelisted " into a history
command.  " ! " is a special character, so escape the ! using a backslash.  This should work:

   label="(?\!whitelisted\)"

We have in argus-clients-3.0.7.4, which is on the development server, the ability for you
to suggest which should be the source and destination when it can't be determined from
the traffic.  You specify local addresses, and then you can say you want the local on the
left of right, when there is a " ? ".  Works pretty good, but its all address based, not service
based.  We can add that if that is something you think would be useful.

Carter

On Jan 31, 2013, at 2:23 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> Is it possible to do a negative regex match on flow labels?  I tried doing a negative lookahead –M label=”(?!whitelisted)”, but got an error:
>  
> -bash: !whitelisted: event not found
>  
> I can do a reverse match using egrep if I have to.  But negative label matching would be a nice feature. 
>  
> Second question…  When an ra* client connects to argusd or radium and sees a flow that was established before it connected, what is the logic that the client uses to guess the direction of the flow?  And is there any way to influence it or control it?  It would be great if Argus could use something like an iana label file or NMAP scan so that known open ports on a server would be given precedence as the destination.
>  
> Thanks Carter and the rest of the community for all the help!
>  
> Craig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/1f4990c4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/1f4990c4/attachment.bin>