Question about Filtering Argus Data

Chungen Li jiafei427 at gmail.com
Thu Jun 12 22:11:39 EDT 2014


Hello,

Now I'm developing a system using the ARGUS Framework and I got trouble
when I try to use the filtering option in the RA (Argus Client).

Following are some results from RA.

$ ../../argus/argus-clients-3.0.6.2/bin/ra -S 127.0.0.1:3434
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir
   DstAddr  Dport  TotPkts   TotBytes State
   11:01:56.368794  *           tcp     147.46.112.192.ici       ->
 173.194.72.84.https         1         59   CON
   11:01:56.369780  * s         tcp     147.46.208.185.57788     ->
61.239.168.101.16057         6        440   FIN
   11:01:56.370350  *           tcp       210.98.16.36.15890     ->
 173.194.127.133.https         1         59   CON
   11:01:56.370355  *           tcp     163.152.69.238.hpvro*    ->
203.84.208.52.https         1         59   CON
   11:01:56.370415  *           tcp      223.195.2.196.59281     ->
173.194.127.73.http          6        593   CON
   11:01:56.370575  *           tcp        210.98.50.5.46496     ->
173.194.127.85.https         5       2511   CON
   11:01:56.370666  *           tcp     163.152.34.179.54862     ->
74.125.128.139.https         1         59   CON
   11:01:56.370982  *           tcp     147.46.188.242.49245     ->
74.125.204.188.hpvro*        1         59   CON
   11:01:56.371008  *           udp       147.46.81.23.33782     ->
219.79.58.17.osmos*        3        267   REQ
   11:01:56.371503  *           tcp     117.16.196.145.40337     ->
 173.194.38.70.http          3       1619   CON
   11:01:56.372168  *           tcp       147.46.39.53.qsm-p*    ->
199.59.148.139.https         4        232   CON
   11:01:56.372620  *           udp     203.241.84.210.48613     ->
 216.239.32.10.domain        1         93   INT
   11:01:56.373037  *           tcp    163.152.105.227.43465     ->
 74.125.203.95.http          1         70   CON
   11:01:56.373097  *           tcp    164.125.174.109.5194      ->
74.125.128.101.https         9       1312   CON
   11:01:56.374016  *           tcp    203.247.182.211.35832     ->
 173.194.38.71.https         1         59   CON

Here I just want the Argus record with the packet-bytes greater than 100,
So I set the filtering option at the end of the command like this

$ ../../argus/argus-clients-3.0.6.2/bin/ra -S 127.0.0.1:3434 - bytes gt 10

But this never returns me any results, and I don't know why.

Plz tell me where did I get wrong with that filtering option.

Thanks.


Chungen, Li
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140613/8dafe9e7/attachment.html>


More information about the argus mailing list