first time argus

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Mon Dec 12 14:18:02 EST 2016 

Hey Stefan,
You will want to aggregate your records for the fields you want, and then sort to generate your report.  Please read the man page for racluster.1 and ratop.1.

Using racluster and ratop, you will want to use the -m option to aggregate based on saddr, and then sort based on some metric, like total pkts.

   racluster -m saddr -r argus-id5-log2016.123757 -s stime saddr proto dport pkts -w - - dst port 25 |  \
   rasort -m pkts

Using ratop

ratop -m saddr -r argus-id5-log2016.123757 -s stime saddr proto dport pkts  - dst port 25 

Then while in ratop, type ‘:P’ to show the sort priority, and type over the field at the bottom of the screen to make it ‘pkts’.

Carter


> On Dec 12, 2016, at 3:27 AM, Stefan Szabo via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
>  
> Hi,
>  
> How can i get a top list incident, with uniq source ip addr?is there any other method?
>  
> I tryed with this one:
>  
> ratop -r argus-id5-log.20161208_123757 -sn stime, saddr, ,proto, pkts, dport
>  
> and then filter for smtp:
>  
> ratop -r argus-id5-log.20161208_123757 - display 'dst port 25'                                                                                                                        2016/12/08.13:59:49 EET
>          StartTime            SrcAddr  Proto  TotPkts  Dport
>    23:07:14.100354     188.27.238.167    tcp        3 smtp
>    06:25:56.683319        5.15.194.50    tcp        1 smtp
>    12:19:01.487103        5.15.198.65    tcp        1 smtp
>    12:19:01.916729        5.15.198.65    tcp        1 smtp
>    06:25:56.223742        5.15.194.50    tcp        1 smtp
>    19:42:53.834723        5.15.192.30    tcp        1 smtp
>    20:33:40.012217        5.15.192.30    tcp        1 smtp
>    20:33:40.317198        5.15.192.30    tcp        1 smtp
>    19:42:53.532708        5.15.192.30    tcp        1 smtp
>  
>  
> What i want is to make an automated script that returnes me the uniq source addr with different destinations, 23-tcp,25-tcp, and so on.
> I want to use it in honey project, here is were it all start for me: http://www.team-cymru.org/darknet.html <http://www.team-cymru.org/darknet.html>
>  
>  
>  
>  
>  
> From: Carter Bullard [mailto:carter at qosient.com <mailto:carter at qosient.com>] 
> Sent: Friday, November 4, 2016 3:30 PM
> To: Stefan Szabo <stefan.szabo at rcs-rds.ro <mailto:stefan.szabo at rcs-rds.ro>>
> Subject: Re: [ARGUS] FW: first time argus
>  
> Hey Stefan,
> That is the design, argus generates flow data, with a lot of options, and the ra* clients process the data, with a lot of options.  To manage data archive size you will want to investigate racluster.1, it is the program of choice for semantic compression and data reduction, and of course, compressors like gzip work very well.
>  
> Hope all is most excellent,
> Carter
>  
>  
>> On Nov 4, 2016, at 8:49 AM, Stefan Szabo <stefan.szabo at rcs-rds.ro <mailto:stefan.szabo at rcs-rds.ro>> wrote:
>>  
>> Hi,
>>  
>> So „argus”(server side) doesnt have any other options in order to keep log files smaller.
>> In order to clean argus log i have to make a script, or a crontab which emptys argus files.
>> All is done in the client side, ra, ralabel, radium, rasplit,etc.
>>  
>> Is that right?
>>  
>>  
>> Thanks!
>>  
>>  
>> From: Carter Bullard [mailto:carter at qosient.com <mailto:carter at qosient.com>] 
>> Sent: Friday, November 4, 2016 2:12 PM
>> To: Stefan Szabo <stefan.szabo at rcs-rds.ro <mailto:stefan.szabo at rcs-rds.ro>>
>> Subject: Re: [ARGUS] FW: first time argus
>>  
>> Hey Stephen,
>> The concept is that argus generates a specific output and the client programs process that data to get what you want.
>>  
>> Use rasplit to generate daily logs.  depending on the amount of flow records your argus generates, you may want daily, hourly or or even x minute oriented files.  to build a daily file, we suggest ...
>>     rasplit -S localhost -M 1d -w /path/to/your/archive/%Y/%m/argus.%Y.%m.%d
>>  
>> All selections from argus data are done on the client side.  Argus data derived from just packets doesn't provide ASs or Country codes, so you will need to enhance the records.  We provide country codes using radium, or any ra*, program, using any number of methods.    Check out the web site under Geo-location for a description.  ASNs are available with the GeoIP library, and provide Originating AS's, also described in the Geo section of 'Using Argus'.
>>  
>> Send email if you have any problems.
>> Carter
>> 
>> On Nov 4, 2016, at 6:49 AM, Stefan Szabo via Argus-info <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>> wrote:
>> 
>>>  
>>>  
>>> From: Stefan Szabo [mailto:stefan.szabo at rcs-rds.ro <mailto:stefan.szabo at rcs-rds.ro>] 
>>> Sent: Friday, November 4, 2016 12:43 PM
>>> To: 'argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>.' <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>.>
>>> Subject: first time argus
>>>  
>>> Hi,
>>>  
>>> I installed argus server and client, all working.
>>> I have some questions:
>>>  
>>> Server side – how can it generate daily logs, with “argus -M time 1h” is not working, if I start the server “argus” it makes one file which becames bigger and bigger.
>>> Server side – I only want to extract source IP’s from one ASN, which way is better to do that(server side/client side), any examples?Or from one country if ASN is not a choice.
>>>  
>>> Thanks,
>>> Stefan.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20161212/7ee1013f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2448 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20161212/7ee1013f/attachment.bin>

More information about the argus mailing list