Portrange Support in Argus?

Jason dn1nj4 at gmail.com
Fri Apr 25 12:34:03 EDT 2014


For my purposes, it would be helpful if the ra* clients accepted: ra -
portrange foo-bar
And internally treated it as: ra - port gte foo and lte bar



On Fri, Apr 25, 2014 at 12:31 PM, Carter Bullard <carter at qosient.com> wrote:

> Well, I wouldn’t give up.  We own our own filter compilers, so if you
> can articulate the syntax and  what you want it to do, we can probably
> support it.
>
> Carter
>
>
> On Apr 25, 2014, at 8:59 AM, Jason <dn1nj4 at gmail.com> wrote:
>
> Not something more, but I directly map argus filters to tcpdump filters
> when performing bulk searches. I was mistakenly under the impression that
> the clients were leveraging BPFs and it just surprised me today when ra
> didn't support portrange. To be fair, I rarely use portrange.  Basically I
> guess I just need to translate the differences between the two.
>
> Thanks again.
>
>
> On Fri, Apr 25, 2014 at 11:49 AM, Carter Bullard <carter at qosient.com>wrote:
>
>> Hey Jason,
>> If its in libpcap, then argus gets it for free.  But bpf is only
>> applicable to argus packet processing.
>> For the rest of the argus filtering systems, not sure what you would
>> want…we support:
>>
>>    ra - port gte x and lte y
>>
>> is there something else that port range does ???
>>
>> Carter
>>
>> On Apr 25, 2014, at 8:45 AM, Jason <dn1nj4 at gmail.com> wrote:
>>
>> > Hi Carter,
>> >
>> > Are there any plans for argus to support the "portrange" bpf keyword?
>>  I could not find anything in the archives referencing it.
>> >
>> > Thanks!
>> > dn1nj4
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140425/d0bd29f6/attachment.html>


More information about the argus mailing list