racluster for DNS

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Fri Jun 3 09:01:38 EDT 2016 

Hey Raphael,
Check that your "cleaned_dump.argus" isn't already cleaned up too much, and make sure that your racluster.conf only has 2 lines in it.  So many times, the tools do the correct thing, just not what you expect it to do.

What does the "cleaned_dump.argus" file have in it for domain traffic ?
   ra -r cleaned_dump - port 53

Carter

> On Jun 3, 2016, at 4:46 AM, Raphael Campos Silva <raphaelcampos.rp at gmail.com> wrote:
> 
> Carter, tks for the answer.
> 
> I tried this but didn't work for me.
> 
> % tail -n 2 /etc/racluster.conf 
> filter="port 53"        status=0 idle=0
> 
> filter=""               model="saddr daddr proto dport sport"
> 
> 
> 
> % racluster -f /etc/racluster.conf -r cleaned_dump.argus
> 
> 
> 192.168.100.106.1040     <->      192.168.100.1.domain        8       1041
> 
> If I set status and idle to 1, sometimes it works, but not always.
> 
> 
> 
> Tks.
> 
> 
> 2016-06-02 18:04 GMT-03:00 Carter Bullard <carter at qosient.com>:
>> Hey Raphael,
>> Try this racluster.conf …
>> 
>>    filter="port 53"   status=0  idle=0
>>    filter=""              model="saddr daddr proto dport sport “
>> 
>> and run racluster as;
>> 
>>    racluster -f racluster.conf -r file
>> 
>> The status=0 tells racluster.1 not to merge the records together.
>> How does that work for you ????
>> 
>> Carter
>> 
>> > On Jun 2, 2016, at 4:18 PM, Raphael Campos Silva via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>> >
>> > Hello guys,
>> >
>> > I'm using racluster for aggregate some http flows, but I don't want aggregate DNS flows. By default, racluster aggregate all dns flows, like this:
>> > % racluster -r cleaned_dump.argus
>> >
>> > udp    192.168.100.106.1041     <->      192.168.100.1.domain        8       1041   CON
>> >
>> >
>> >
>> > For aggregate http, I just used the following filter (with -f option) and everthing is O.K.:
>> >
>> > filter="tcp"            model="saddr daddr proto dport sport"
>> >
>> > I've tried something like this for DNS, but is not working (returns ArgusParseAggregator: ArgusNewAggregator returned NULL):
>> > filter="udp and dst port 53"           model="none"
>> >
>> > If I don't use the option -f with racluster and pass "-m none" to the program, all DNS are correct, but the http flows isn't aggregate.
>> >
>> > 192.168.100.106.1041     <->      192.168.100.1.domain        2        240
>> >
>> >
>> > 192.168.100.106.1042      ->        A.http          7        714
>> >
>> >
>> > 192.168.100.106.1041     <->      192.168.100.1.domain        2        224
>> >
>> >
>> > 192.168.100.106.1041     <->      192.168.100.1.domain        2        368
>> >
>> >
>> > 192.168.100.106.1041     <->      192.168.100.1.domain        2        209
>> >
>> >
>> > 192.168.100.106.1042      ->        A.http          2        114
>> >
>> > I read the racluster manual and tried some configs but I couldn't find a solution for this. Probably I miss something.
>> > Any suggestion is wellcome.
>> >
>> > Tks.
>> > --
>> > Raphael Campos Silva
>> > Ciência da Computação - IBILCE Rio Preto - SP
>> > Knowledge, exploit it.
>> >
> 
> 
> 
> -- 
> Raphael Campos Silva
> Ciência da Computação - IBILCE Rio Preto - SP
> Knowledge, exploit it.
>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160603/0b095ae4/attachment.html>

More information about the argus mailing list