racluster for DNS
Carter Bullard via Argus-info
argus-info at lists.andrew.cmu.edu
Thu Jun 2 17:04:13 EDT 2016
Hey Raphael,
Try this racluster.conf …
filter="port 53" status=0 idle=0
filter="" model="saddr daddr proto dport sport “
and run racluster as;
racluster -f racluster.conf -r file
The status=0 tells racluster.1 not to merge the records together.
How does that work for you ????
Carter
> On Jun 2, 2016, at 4:18 PM, Raphael Campos Silva via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>
> Hello guys,
>
> I'm using racluster for aggregate some http flows, but I don't want aggregate DNS flows. By default, racluster aggregate all dns flows, like this:
> % racluster -r cleaned_dump.argus
>
> udp 192.168.100.106.1041 <-> 192.168.100.1.domain 8 1041 CON
>
>
>
> For aggregate http, I just used the following filter (with -f option) and everthing is O.K.:
>
> filter="tcp" model="saddr daddr proto dport sport"
>
> I've tried something like this for DNS, but is not working (returns ArgusParseAggregator: ArgusNewAggregator returned NULL):
> filter="udp and dst port 53" model="none"
>
> If I don't use the option -f with racluster and pass "-m none" to the program, all DNS are correct, but the http flows isn't aggregate.
>
> 192.168.100.106.1041 <-> 192.168.100.1.domain 2 240
>
>
> 192.168.100.106.1042 -> A.http 7 714
>
>
> 192.168.100.106.1041 <-> 192.168.100.1.domain 2 224
>
>
> 192.168.100.106.1041 <-> 192.168.100.1.domain 2 368
>
>
> 192.168.100.106.1041 <-> 192.168.100.1.domain 2 209
>
>
> 192.168.100.106.1042 -> A.http 2 114
>
> I read the racluster manual and tried some configs but I couldn't find a solution for this. Probably I miss something.
> Any suggestion is wellcome.
>
> Tks.
> --
> Raphael Campos Silva
> Ciência da Computação - IBILCE Rio Preto - SP
> Knowledge, exploit it.
>
More information about the argus
mailing list