racluster for DNS

Raphael Campos Silva via Argus-info argus-info at lists.andrew.cmu.edu
Fri Jun 3 04:46:00 EDT 2016 

Carter, tks for the answer.

I tried this but didn't work for me.

% tail -n 2 /etc/racluster.conf

filter="port 53"        status=0 idle=0

filter=""               model="saddr daddr proto dport sport"


% racluster -f /etc/racluster.conf -r cleaned_dump.argus

192.168.100.106.1040     <->      192.168.100.1.domain        8       1041

If I set status and idle to 1, sometimes it works, but not always.


Tks.

2016-06-02 18:04 GMT-03:00 Carter Bullard <carter at qosient.com>:

> Hey Raphael,
> Try this racluster.conf …
>
>    filter="port 53"   status=0  idle=0
>    filter=""              model="saddr daddr proto dport sport “
>
> and run racluster as;
>
>    racluster -f racluster.conf -r file
>
> The status=0 tells racluster.1 not to merge the records together.
> How does that work for you ????
>
> Carter
>
> > On Jun 2, 2016, at 4:18 PM, Raphael Campos Silva via Argus-info <
> argus-info at lists.andrew.cmu.edu> wrote:
> >
> > Hello guys,
> >
> > I'm using racluster for aggregate some http flows, but I don't want
> aggregate DNS flows. By default, racluster aggregate all dns flows, like
> this:
> > % racluster -r cleaned_dump.argus
> >
> > udp    192.168.100.106.1041     <->      192.168.100.1.domain        8
>      1041   CON
> >
> >
> >
> > For aggregate http, I just used the following filter (with -f option)
> and everthing is O.K.:
> >
> > filter="tcp"            model="saddr daddr proto dport sport"
> >
> > I've tried something like this for DNS, but is not working (returns
> ArgusParseAggregator: ArgusNewAggregator returned NULL):
> > filter="udp and dst port 53"           model="none"
> >
> > If I don't use the option -f with racluster and pass "-m none" to the
> program, all DNS are correct, but the http flows isn't aggregate.
> >
> > 192.168.100.106.1041     <->      192.168.100.1.domain        2
> 240
> >
> >
> > 192.168.100.106.1042      ->        A.http          7        714
> >
> >
> > 192.168.100.106.1041     <->      192.168.100.1.domain        2
> 224
> >
> >
> > 192.168.100.106.1041     <->      192.168.100.1.domain        2
> 368
> >
> >
> > 192.168.100.106.1041     <->      192.168.100.1.domain        2
> 209
> >
> >
> > 192.168.100.106.1042      ->        A.http          2        114
> >
> > I read the racluster manual and tried some configs but I couldn't find a
> solution for this. Probably I miss something.
> > Any suggestion is wellcome.
> >
> > Tks.
> > --
> > Raphael Campos Silva
> > Ciência da Computação - IBILCE Rio Preto - SP
> > Knowledge, exploit it.
> >
>
>


-- 
Raphael Campos Silva
Ciência da Computação - IBILCE Rio Preto - SP
*Knowledge, exploit it.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160603/717e57d6/attachment.html>

More information about the argus mailing list