racluster for DNS
Raphael Campos Silva via Argus-info
argus-info at lists.andrew.cmu.edu
Thu Jun 2 16:18:32 EDT 2016
Hello guys,
I'm using racluster for aggregate some http flows, but I don't want
aggregate DNS flows. By default, racluster aggregate all dns flows, like
this:
% racluster -r cleaned_dump.argus
udp 192.168.100.106.1041 <-> 192.168.100.1.domain 8
1041 CON
For aggregate http, I just used the following filter (with -f option) and
everthing is O.K.:
filter="tcp" model="saddr daddr proto dport sport"
I've tried something like this for DNS, but is not working (returns
ArgusParseAggregator: ArgusNewAggregator returned NULL):
filter="udp and dst port 53" model="none"
If I don't use the option -f with racluster and pass "-m none" to the
program, all DNS are correct, but the http flows isn't aggregate.
192.168.100.106.1041 <-> 192.168.100.1.domain 2 240
192.168.100.106.1042 -> A.http 7 714
192.168.100.106.1041 <-> 192.168.100.1.domain 2 224
192.168.100.106.1041 <-> 192.168.100.1.domain 2 368
192.168.100.106.1041 <-> 192.168.100.1.domain 2 209
192.168.100.106.1042 -> A.http 2 114
I read the racluster manual and tried some configs but I couldn't find a
solution for this. Probably I miss something.
Any suggestion is wellcome.
Tks.
--
Raphael Campos Silva
Ciência da Computação - IBILCE Rio Preto - SP
*Knowledge, exploit it.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160602/595a8f1a/attachment.html>
More information about the argus
mailing list