pcr filtering
Carter Bullard
carter at qosient.com
Tue Apr 22 11:32:35 EDT 2014
Hey CS Lee, et. al.
A new argus-clients-3.0.7.24 is on the server. Available here:
http://qosient.com/argus/dev/argus-clients-latest.tar.gz
Fixes all the filter issues with pcr, which also affected some
of other metadata filters, like rate, load, etc…
This also has a lot of man page additions.
This version should be good for release. If you find anything
wrong, please holler !!!!
Thanks !!!
Carter
On Apr 21, 2014, at 6:42 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey CS Lee,
> Yes, I have a fix in the 24 code, just haven't had a chance to push it up. My fault, should get something up, hopefully today/tonight !!!
>
> Carter
>
> On Apr 19, 2014, at 10:20 AM, CS Lee <geek00l at gmail.com> wrote:
>
>> hi Carter,
>>
>> I think I encountered same issue as jess regarding pcr filtering -
>>
>> ra -nr test.arg3 -s saddr daddr pcr - 'pcr lt 0.5'
>> SrcAddr DstAddr PCRatio
>> 192.168.221.1 192.168.221.128 -0.319952
>> 192.168.221.1 192.168.221.128 -0.138358
>> 192.168.221.1 192.168.221.128 0.814701
>> 192.168.221.1 192.168.221.128 0.996873
>> 192.168.221.1 192.168.221.128 1.000000
>>
>> ra -b -nr test.arg3 -s saddr daddr pcr - 'pcr lt 0.5'
>> (000) ldb hdr[0]
>> (001) and #16
>> (002) jeq #0x10 jt 3 jf 6
>> (003) ldf hdr[360]
>> (004) jge #0.500000 jt 6 jf 5
>> (005) ret #150
>> (006) ret #0
>>
>> Non-matching flow also shows up in the filter, by the way I'm using argus client 3.0.7.23 on ubuntu linux.
>>
>>
>> --
>> Best Regards,
>>
>> CS Lee<geek00L[at]gmail.com>
>>
>> http://geek00l.blogspot.com
>> http://defcraft.com.my
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140422/90613b07/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140422/90613b07/attachment.sig>
More information about the argus
mailing list