racluster for DNS
Raphael Campos Silva via Argus-info
argus-info at lists.andrew.cmu.edu
Fri Jun 3 13:21:58 EDT 2016
Hello,
I checked the file "cleaned_dump.argus" and seems to be OK. The output from
"ra -r cleaned_dump.argus - port 53" is the following:
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State
21:53:13.609647 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 2 240 CON
21:53:14.135221 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 2 224 CON
21:53:15.079598 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 2 368 CON
21:53:16.315496 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 2 209 CON
Tks,
2016-06-03 10:01 GMT-03:00 Carter Bullard <carter at qosient.com>:
> Hey Raphael,
> Check that your "cleaned_dump.argus" isn't already cleaned up too much,
> and make sure that your racluster.conf only has 2 lines in it. So many
> times, the tools do the correct thing, just not what you expect it to do.
>
> What does the "cleaned_dump.argus" file have in it for domain traffic ?
> ra -r cleaned_dump - port 53
>
> Carter
>
> On Jun 3, 2016, at 4:46 AM, Raphael Campos Silva <
> raphaelcampos.rp at gmail.com> wrote:
>
> Carter, tks for the answer.
>
> I tried this but didn't work for me.
>
> % tail -n 2 /etc/racluster.conf
>
> filter="port 53" status=0 idle=0
>
> filter="" model="saddr daddr proto dport sport"
>
>
> % racluster -f /etc/racluster.conf -r cleaned_dump.argus
>
> 192.168.100.106.1040 <-> 192.168.100.1.domain 8 1041
>
> If I set status and idle to 1, sometimes it works, but not always.
>
>
> Tks.
>
> 2016-06-02 18:04 GMT-03:00 Carter Bullard <carter at qosient.com>:
>
>> Hey Raphael,
>> Try this racluster.conf …
>>
>> filter="port 53" status=0 idle=0
>> filter="" model="saddr daddr proto dport sport “
>>
>> and run racluster as;
>>
>> racluster -f racluster.conf -r file
>>
>> The status=0 tells racluster.1 not to merge the records together.
>> How does that work for you ????
>>
>> Carter
>>
>> > On Jun 2, 2016, at 4:18 PM, Raphael Campos Silva via Argus-info <
>> argus-info at lists.andrew.cmu.edu> wrote:
>> >
>> > Hello guys,
>> >
>> > I'm using racluster for aggregate some http flows, but I don't want
>> aggregate DNS flows. By default, racluster aggregate all dns flows, like
>> this:
>> > % racluster -r cleaned_dump.argus
>> >
>> > udp 192.168.100.106.1041 <-> 192.168.100.1.domain
>> 8 1041 CON
>> >
>> >
>> >
>> > For aggregate http, I just used the following filter (with -f option)
>> and everthing is O.K.:
>> >
>> > filter="tcp" model="saddr daddr proto dport sport"
>> >
>> > I've tried something like this for DNS, but is not working (returns
>> ArgusParseAggregator: ArgusNewAggregator returned NULL):
>> > filter="udp and dst port 53" model="none"
>> >
>> > If I don't use the option -f with racluster and pass "-m none" to the
>> program, all DNS are correct, but the http flows isn't aggregate.
>> >
>> > 192.168.100.106.1041 <-> 192.168.100.1.domain 2
>> 240
>> >
>> >
>> > 192.168.100.106.1042 -> A.http 7 714
>> >
>> >
>> > 192.168.100.106.1041 <-> 192.168.100.1.domain 2
>> 224
>> >
>> >
>> > 192.168.100.106.1041 <-> 192.168.100.1.domain 2
>> 368
>> >
>> >
>> > 192.168.100.106.1041 <-> 192.168.100.1.domain 2
>> 209
>> >
>> >
>> > 192.168.100.106.1042 -> A.http 2 114
>> >
>> > I read the racluster manual and tried some configs but I couldn't find
>> a solution for this. Probably I miss something.
>> > Any suggestion is wellcome.
>> >
>> > Tks.
>> > --
>> > Raphael Campos Silva
>> > Ciência da Computação - IBILCE Rio Preto - SP
>> > Knowledge, exploit it.
>> >
>>
>>
>
>
> --
> Raphael Campos Silva
> Ciência da Computação - IBILCE Rio Preto - SP
> *Knowledge, exploit it.*
>
>
>
--
Raphael Campos Silva
Ciência da Computação - IBILCE Rio Preto - SP
*Knowledge, exploit it.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160603/b4deac0b/attachment.html>
More information about the argus
mailing list