Argus query
Noman Muneer
nomanmuneer at gmail.com
Mon May 4 17:33:11 EDT 2015
Hi,
I am running Argus in Security Onion and I am having trouble with creating
a query for the following task :
I need to find persistent connections on our network that have been up for
an extended amount of time (1 day) and have been transmitting data
intermittently over an interval of time (the interval being specified by
management).
I had initially tried to make the script using Bro but ran into issues with
some limitations of that platform. I then realized that Argus would be a
much better solution as i can query the session data and pull the
information. Unfortunately I have limited experience with Argus which has
resulted in a bit of frustration when crafting the query.
What I have thus far :
Because, for some reason, Argus is not writing live data to argus.out I
have decided to run the query on older log files... so every day the query
will be run on the previous days log.
racluster -Mnorep -r /etc/nsm/sensor_data/argus/2015-05-01.log - "ip" -w -
| ra -s +dur:15 - "dur gt 2600"
Please note the above query is very heavily inspired by the input of a gent
from the security onion mailing list.
Any help or guidance you are able to provide in this matter will be greatly
appreciated indeed.
Kind Regards,
Muneer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150504/40d1e230/attachment.html>
More information about the argus
mailing list