Argus conversion v2 to v3?

unFrigidaire Américain frigidaire.americain at gmail.com
Tue Jun 25 12:52:49 EDT 2013 

On Tue, Jun 25, 2013 at 6:29 PM, Carter Bullard <carter at qosient.com> wrote:
> I could not read the file using argus-clients-2.0.6.fixes.1 ra().
> The first record says its from argus-v1.33, is that reasonable?

Nope :)
I use these Debian packages:

http://ftp.ch.debian.org/debian/pool/main/a/argus-client/argus-client_2.0.6.fixes.1-3_amd64.deb
http://ftp.ch.debian.org/debian/pool/main/a/argus/argus-server_2.0.6.fixes.1-16.3_amd64.deb

And I forgot to mention that I was working on AMD64, both on server
and client. Sorry!

> Set variables in a rarc file to print your fields and to generate csv files.
> ../..
> Then this should work.
>
>>   $ ./2.0.6/bin/ra -F /tmp/rarc -unnr argus.log > argus.ascii
>>   $ ./3.0.6/bin/raconvert -r argus.ascii

raconvert's output does not look good :(

         StartTime      Flgs  Proto            SrcAddr  Sport   Dir
        DstAddr  Dport  TotPkts   TotBytes State
   00:36:48.000000
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   02:19:19.000048
   ...

Even if the CSV export seems ok :

1021395279.325940,0.031880,,man,1.0.1.1,v2.0,1,0,0,0,0,0,STA
1021395279.325940,0.031880,,man,1.0.1.1,v2.0,1,0,0,0,0,0,STA
1021395282.852700,32.054123,,17,1.0.1.1,44682,<->,1.0.2.1,123,2,2,180,180,CON
1021395279.435266,36.667449,,3452,0:15:2c:6e:b0:0,,<->,0:e0:f4:1b:b8:51,,183,114,20010,35332,CON
1021395287.682149,19.992290,,3686,0:1f:6d:17:b8:16,,->,0:1f:6d:17:b8:16,,3,0,180,0,INT
1021395280.604140,3.638318,,6,1.0.3.1,31537,->,1.0.1.1,443,22,20,2162,10140,RST
1021395288.440882,0.000000,,2054,1.0.1.2,,who-has,1.0.1.3,,1,0,60,0,INT
1021395299.349734,7.250045,,6,100.0.1.1,26430,->,1.0.1.1,80,50,49,7114,25639,CON
1021395292.904599,0.000000,,2054,1.0.1.2,,who-has,1.0.1.4,,1,0,60,0,INT
1021395285.320668,30.388476,,17,1.0.1.5,23075,->,224.0.1.1,55928,6,0,2019,0,CON
1021395280.615129,20.991186,,2054,1.0.1.2,,who-has,1.0.1.6,,3,0,180,0,INT
1021395305.525826,0.000000,,1,197.0.1.1,,->,1.0.1.1,,1,0,98,0,ECO
1021395280.652920,33.265715,,2054,1.0.1.2,,who-has,1.0.1.7,,5,0,300,0,INT
1021395310.903531,0.000337,,17,1.0.1.1,24130,<->,1.0.4.1,123,1,1,90,90,CON
1021395304.872697,0.026107,,17,1.0.1.1,30021,<->,1.0.5.1,123,1,1,90,90,CON
1021395280.229707,34.069973,,0,0:1f:6d:17:b8:16,0x42,->,1:80:c2:0:0:0,0x42,18,0,1080,0,INT
1021395280.380382,30.556078,,2054,1.0.1.2,,who-has,1.0.1.8,,6,0,360,0,INT
1021395290.867798,9.068694,,2054,1.0.1.2,,who-has,1.0.1.9,,2,0,120,0,INT
1021395280.308278,30.138182,,2054,1.0.1.2,,who-has,1.0.1.10,,6,0,360,0,INT
1021395308.736875,0.000000,,17,1.0.1.11,44893,->,224.0.0.2,60808,1,0,426,0,CON
1021395297.624495,7.133521,,2054,1.0.1.2,,who-has,1.0.1.12,,2,0,120,0,INT
1021395297.718750,1.402578,,6,1.0.6.1,50139,->,1.0.1.1,80,8,9,846,5183,FIN
1021395306.529123,0.000000,,1,197.0.1.1,,->,1.0.1.1,,1,0,98,0,ECO
1021395297.753289,0.000000,,2054,1.0.1.2,,who-has,1.0.1.13,,1,0,60,0,INT
1021395312.848272,0.940555,,6,1.0.7.1,40894,->,1.0.1.1,80,82,114,5868,166877,FIN
1021395281.940375,6.997037,,2054,1.0.1.2,,who-has,1.0.1.14,,2,0,120,0,INT
1021395279.399110,0.000000,,2054,1.0.1.2,,who-has,1.0.1.15,,1,0,60,0,INT
1021395280.850133,0.901986,,6,1.0.7.1,39673,->,1.0.1.1,80,6,5,790,731,FIN
1021395302.287176,0.000000,,17,1.0.1.11,41779,->,224.0.0.2,60808,1,0,810,0,CON
1021395282.722160,31.472303,,3452,0:15:2c:6e:b0:0,,->,33:33:0:0:0:1,,7,0,826,0,INT
1021395279.357820,36.773476,,man,1.0.1.1,v2.0,29,0,738,0,288821,28,SHT
1262282061.698983,0.031880,,man,1.0.1.1,v2.0,1,0,0,0,0,0,STA
1262282065.225743,32.054123,,17,1.0.1.1,61221,<->,1.0.2.1,123,2,2,180,180,CON
1262282061.808309,36.667449,,3452,0:15:2c:6e:b0:0,,<->,0:e0:f4:1b:b8:51,,183,114,20010,35332,CON
1262282070.055192,19.992290,,3686,0:1f:6d:17:b8:16,,->,0:1f:6d:17:b8:16,,3,0,180,0,INT
1262282062.977183,3.638318,,6,1.0.3.1,48076,->,1.0.1.1,443,22,20,2162,10140,RST
1262282070.813925,0.000000,,2054,1.0.1.2,,who-has,1.0.1.3,,1,0,60,0,INT
1262282081.722777,7.250045,,6,100.0.1.1,42969,->,1.0.1.1,80,50,49,7114,25639,CON
1262282075.277642,0.000000,,2054,1.0.1.2,,who-has,1.0.1.4,,1,0,60,0,INT
1262282067.693711,30.388476,,17,1.0.1.5,39614,->,224.0.1.1,6931,6,0,2019,0,CON
1262282062.988172,20.991186,,2054,1.0.1.2,,who-has,1.0.1.6,,3,0,180,0,INT
1262282087.898869,0.000000,,1,197.0.1.1,,->,1.0.1.1,,1,0,98,0,ECO
1262282063.025963,33.265715,,2054,1.0.1.2,,who-has,1.0.1.7,,5,0,300,0,INT
1262282093.276574,0.000337,,17,1.0.1.1,40669,<->,1.0.4.1,123,1,1,90,90,CON
1262282087.245740,0.026107,,17,1.0.1.1,46560,<->,1.0.5.1,123,1,1,90,90,CON
1262282062.602750,34.069973,,0,0:1f:6d:17:b8:16,0x42,->,1:80:c2:0:0:0,0x42,18,0,1080,0,INT
1262282062.753425,30.556078,,2054,1.0.1.2,,who-has,1.0.1.8,,6,0,360,0,INT
1262282073.240841,9.068694,,2054,1.0.1.2,,who-has,1.0.1.9,,2,0,120,0,INT
1262282062.681321,30.138182,,2054,1.0.1.2,,who-has,1.0.1.10,,6,0,360,0,INT
1262282091.109918,0.000000,,17,1.0.1.11,61432,->,224.0.0.2,11811,1,0,426,0,CON
1262282079.997538,7.133521,,2054,1.0.1.2,,who-has,1.0.1.12,,2,0,120,0,INT
1262282080.091793,1.402578,,6,1.0.6.1,1142,->,1.0.1.1,80,8,9,846,5183,FIN
1262282088.902166,0.000000,,1,197.0.1.1,,->,1.0.1.1,,1,0,98,0,ECO
1262282080.126332,0.000000,,2054,1.0.1.2,,who-has,1.0.1.13,,1,0,60,0,INT
1262282095.221315,0.940555,,6,1.0.7.1,57433,->,1.0.1.1,80,82,114,5868,166877,FIN
1262282064.313418,6.997037,,2054,1.0.1.2,,who-has,1.0.1.14,,2,0,120,0,INT
1262282061.772153,0.000000,,2054,1.0.1.2,,who-has,1.0.1.15,,1,0,60,0,INT
1262282063.223176,0.901986,,6,1.0.7.1,56212,->,1.0.1.1,80,6,5,790,731,FIN
1262282084.660219,0.000000,,17,1.0.1.11,58318,->,224.0.0.2,11811,1,0,810,0,CON
1262282065.095203,31.472303,,3452,0:15:2c:6e:b0:0,,->,33:33:0:0:0:1,,7,0,826,0,INT
1262282061.730863,36.773476,,man,1.0.1.1,v2.0,29,0,738,0,288821,28,SHT

More information about the argus mailing list