FW: first time argus

Stefan Szabo via Argus-info argus-info at lists.andrew.cmu.edu
Mon Dec 12 03:27:23 EST 2016 

 

Hi,

 

How can i get a top list incident, with uniq source ip addr?is there any other method?

 

I tryed with this one:

 

ratop -r argus-id5-log.20161208_123757 -sn stime, saddr, ,proto, pkts, dport

 

and then filter for smtp:

 

ratop -r argus-id5-log.20161208_123757 - display 'dst port 25'                                                                                                                        2016/12/08.13:59:49 EET

         StartTime            SrcAddr  Proto  TotPkts  Dport

   23:07:14.100354     188.27.238.167    tcp        3 smtp

   06:25:56.683319        5.15.194.50    tcp        1 smtp

   12:19:01.487103        5.15.198.65    tcp        1 smtp

   12:19:01.916729        5.15.198.65    tcp        1 smtp

   06:25:56.223742        5.15.194.50    tcp        1 smtp

   19:42:53.834723        5.15.192.30    tcp        1 smtp

   20:33:40.012217        5.15.192.30    tcp        1 smtp

   20:33:40.317198        5.15.192.30    tcp        1 smtp

   19:42:53.532708        5.15.192.30    tcp        1 smtp

 

 

What i want is to make an automated script that returnes me the uniq source addr with different destinations, 23-tcp,25-tcp, and so on.

I want to use it in honey project, here is were it all start for me: http://www.team-cymru.org/darknet.html

 

 

 

 

 

From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Friday, November 4, 2016 3:30 PM
To: Stefan Szabo <stefan.szabo at rcs-rds.ro <mailto:stefan.szabo at rcs-rds.ro> >
Subject: Re: [ARGUS] FW: first time argus

 

Hey Stefan,

That is the design, argus generates flow data, with a lot of options, and the ra* clients process the data, with a lot of options.  To manage data archive size you will want to investigate racluster.1, it is the program of choice for semantic compression and data reduction, and of course, compressors like gzip work very well.

 

Hope all is most excellent,

Carter

 

 

On Nov 4, 2016, at 8:49 AM, Stefan Szabo <stefan.szabo at rcs-rds.ro <mailto:stefan.szabo at rcs-rds.ro> > wrote:

 

Hi,

 

So „argus”(server side) doesnt have any other options in order to keep log files smaller.

In order to clean argus log i have to make a script, or a crontab which emptys argus files.

All is done in the client side, ra, ralabel, radium, rasplit,etc.

 

Is that right?

 

 

Thanks!

 

 

From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Friday, November 4, 2016 2:12 PM
To: Stefan Szabo <stefan.szabo at rcs-rds.ro <mailto:stefan.szabo at rcs-rds.ro> >
Subject: Re: [ARGUS] FW: first time argus

 

Hey Stephen,

The concept is that argus generates a specific output and the client programs process that data to get what you want.

 

Use rasplit to generate daily logs.  depending on the amount of flow records your argus generates, you may want daily, hourly or or even x minute oriented files.  to build a daily file, we suggest ...

    rasplit -S localhost -M 1d -w /path/to/your/archive/%Y/%m/argus.%Y.%m.%d

 

All selections from argus data are done on the client side.  Argus data derived from just packets doesn't provide ASs or Country codes, so you will need to enhance the records.  We provide country codes using radium, or any ra*, program, using any number of methods.    Check out the web site under Geo-location for a description.  ASNs are available with the GeoIP library, and provide Originating AS's, also described in the Geo section of 'Using Argus'.

 

Send email if you have any problems.

Carter


On Nov 4, 2016, at 6:49 AM, Stefan Szabo via Argus-info < <mailto:argus-info at lists.andrew.cmu.edu> argus-info at lists.andrew.cmu.edu> wrote:

 

 

From: Stefan Szabo [ <mailto:stefan.szabo at rcs-rds.ro> mailto:stefan.szabo at rcs-rds.ro] 
Sent: Friday, November 4, 2016 12:43 PM
To: ' <mailto:argus-info at lists.andrew.cmu.edu> argus-info at lists.andrew.cmu.edu.' < <mailto:argus-info at lists.andrew.cmu.edu> argus-info at lists.andrew.cmu.edu.>
Subject: first time argus

 

Hi,

 

I installed argus server and client, all working.

I have some questions:

 

Server side – how can it generate daily logs, with “argus -M time 1h” is not working, if I start the server “argus” it makes one file which becames bigger and bigger.

Server side – I only want to extract source IP’s from one ASN, which way is better to do that(server side/client side), any examples?Or from one country if ASN is not a choice.

 

Thanks,

Stefan.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20161212/a7139498/attachment.html>

More information about the argus mailing list