racluster for DNS

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Fri Jun 3 16:46:36 EDT 2016 

Hmmm, well, to be complete, grab the latest code to make sure we’re working with the same version.  I just uploaded argus-clients-3.0.8.2 to the site.

   http://qosient.com/argus/src/argus-clients-latest.tar.gz 

If that doesn’t work, then we’ll have to fix this as a bug.

Carter

> On Jun 3, 2016, at 4:40 PM, Raphael Campos Silva <raphaelcampos.rp at gmail.com> wrote:
> 
> Yeah, there're just two filters in "racluster.conf":
> filter="port 53"        status=0 idle=0
> 
> filter=""               model="saddr daddr proto dport sport"
> 
> About the pcap, it's ok too.
> 
> 2016-06-03 15:55 GMT-03:00 Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>:
> And your racluster.conf only has the 2 lines in it ...  no other rules !!!
> Carter
> 
> On Jun 3, 2016, at 1:21 PM, Raphael Campos Silva <raphaelcampos.rp at gmail.com <mailto:raphaelcampos.rp at gmail.com>> wrote:
> 
>> Hello,
>> 
>> I checked the file "cleaned_dump.argus" and seems to be OK. The output from "ra -r cleaned_dump.argus - port 53" is the following:
>> 
>>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
>>    21:53:13.609647  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        240   CON
>>    21:53:14.135221  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        224   CON
>>    21:53:15.079598  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        368   CON
>>    21:53:16.315496  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        209   CON
>> 
>> Tks,
>> 
>> 
>> 2016-06-03 10:01 GMT-03:00 Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>:
>> Hey Raphael,
>> Check that your "cleaned_dump.argus" isn't already cleaned up too much, and make sure that your racluster.conf only has 2 lines in it.  So many times, the tools do the correct thing, just not what you expect it to do.
>> 
>> What does the "cleaned_dump.argus" file have in it for domain traffic ?
>>    ra -r cleaned_dump - port 53
>> 
>> Carter
>> 
>> On Jun 3, 2016, at 4:46 AM, Raphael Campos Silva <raphaelcampos.rp at gmail.com <mailto:raphaelcampos.rp at gmail.com>> wrote:
>> 
>>> Carter, tks for the answer.
>>> 
>>> I tried this but didn't work for me.
>>> 
>>> % tail -n 2 /etc/racluster.conf 
>>> filter="port 53"        status=0 idle=0
>>> 
>>> filter=""               model="saddr daddr proto dport sport"
>>> 
>>> 
>>> 
>>> 
>>> % racluster -f /etc/racluster.conf -r cleaned_dump.argus
>>> 
>>> 
>>> 192.168.100.106.1040     <->      192.168.100.1.domain        8       1041
>>> 
>>> If I set status and idle to 1, sometimes it works, but not always.
>>> 
>>> 
>>> 
>>> Tks.
>>> 
>>> 
>>> 2016-06-02 18:04 GMT-03:00 Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>:
>>> Hey Raphael,
>>> Try this racluster.conf …
>>> 
>>>    filter="port 53"   status=0  idle=0
>>>    filter=""              model="saddr daddr proto dport sport “
>>> 
>>> and run racluster as;
>>> 
>>>    racluster -f racluster.conf -r file
>>> 
>>> The status=0 tells racluster.1 not to merge the records together.
>>> How does that work for you ????
>>> 
>>> Carter
>>> 
>>> > On Jun 2, 2016, at 4:18 PM, Raphael Campos Silva via Argus-info <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>> wrote:
>>> >
>>> > Hello guys,
>>> >
>>> > I'm using racluster for aggregate some http flows, but I don't want aggregate DNS flows. By default, racluster aggregate all dns flows, like this:
>>> > % racluster -r cleaned_dump.argus
>>> >
>>> > udp    192.168.100.106.1041     <->      192.168.100.1 <tel:192.168.100.1>.domain        8       1041   CON
>>> >
>>> >
>>> >
>>> > For aggregate http, I just used the following filter (with -f option) and everthing is O.K.:
>>> >
>>> > filter="tcp"            model="saddr daddr proto dport sport"
>>> >
>>> > I've tried something like this for DNS, but is not working (returns ArgusParseAggregator: ArgusNewAggregator returned NULL):
>>> > filter="udp and dst port 53"           model="none"
>>> >
>>> > If I don't use the option -f with racluster and pass "-m none" to the program, all DNS are correct, but the http flows isn't aggregate.
>>> >
>>> > 192.168.100.106.1041     <->      192.168.100.1.domain        2        240
>>> >
>>> >
>>> > 192.168.100.106.1042      ->        A.http          7        714
>>> >
>>> >
>>> > 192.168.100.106.1041     <->      192.168.100.1.domain        2        224
>>> >
>>> >
>>> > 192.168.100.106.1041     <->      192.168.100.1.domain        2        368
>>> >
>>> >
>>> > 192.168.100.106.1041     <->      192.168.100.1.domain        2        209
>>> >
>>> >
>>> > 192.168.100.106.1042      ->        A.http          2        114
>>> >
>>> > I read the racluster manual and tried some configs but I couldn't find a solution for this. Probably I miss something.
>>> > Any suggestion is wellcome.
>>> >
>>> > Tks.
>>> > --
>>> > Raphael Campos Silva
>>> > Ciência da Computação - IBILCE Rio Preto - SP
>>> > Knowledge, exploit it.
>>> >
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Raphael Campos Silva
>>> Ciência da Computação - IBILCE Rio Preto - SP
>>> Knowledge, exploit it.
>>>  
>> 
>> 
>> 
>> -- 
>> Raphael Campos Silva
>> Ciência da Computação - IBILCE Rio Preto - SP
>> Knowledge, exploit it.
>>  
> 
> 
> 
> -- 
> Raphael Campos Silva
> Ciência da Computação - IBILCE Rio Preto - SP
> Knowledge, exploit it.
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160603/f109600b/attachment.html>

More information about the argus mailing list