racluster for DNS
Raphael Campos Silva via Argus-info
argus-info at lists.andrew.cmu.edu
Sat Jun 4 13:58:08 EDT 2016
I just test version argus-clients-3.0.8.2 (the last one) and the problems
seems the same.
Using just 'ra':
% ra -r cleaned_dump.argus - port 53
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State
21:53:13.609647 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 2 240 CON
21:53:14.135221 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 2 224 CON
21:53:15.079598 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 2 368 CON
21:53:16.315496 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 2 209 CON
And with racluster:
% racluster -r cleaned_dump.argus -f /etc/racluster.conf - port 53
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State
21:53:13.609647 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 8 1041 CON
% cat /etc/racluster.conf
filter="port 53" status=0 idle=0
filter="" model="saddr daddr proto dport sport"
If I try 'racluster' using "-m none", it works, but it can't merge http
flows (like I said in the first email)
% racluster -r cleaned_dump.argus -m none - port 53
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State
21:53:13.609647 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 2 240 CON
21:53:14.135221 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 2 224 CON
21:53:15.079598 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 2 368 CON
21:53:16.315496 e udp 192.168.100.106.1040 <->
192.168.100.1.domain 2 209 CON
% racluster -r cleaned_dump.argus -m none - port 80
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State
21:53:13.831738 e tcp 192.168.100.106.1041 ->
A.http
7 714 CON
21:53:14.720590 e tcp 192.168.100.106.1042 ->
B.http
14 3222 RST
21:53:15.095575 e tcp 192.168.100.106.1044 -> C.http
9 2383 RST
21:53:19.139461 e tcp 192.168.100.106.1041 ->
A.http
2 114 FIN
If you prefer, I can send you the pcap file without problem.
Tks,
2016-06-03 17:46 GMT-03:00 Carter Bullard <carter at qosient.com>:
> Hmmm, well, to be complete, grab the latest code to make sure we’re
> working with the same version. I just uploaded argus-clients-3.0.8.2 to
> the site.
>
> http://qosient.com/argus/src/argus-clients-latest.tar.gz
>
> If that doesn’t work, then we’ll have to fix this as a bug.
>
> Carter
>
> On Jun 3, 2016, at 4:40 PM, Raphael Campos Silva <
> raphaelcampos.rp at gmail.com> wrote:
>
> Yeah, there're just two filters in "racluster.conf":
>
> filter="port 53" status=0 idle=0
> filter="" model="saddr daddr proto dport sport"
>
> About the pcap, it's ok too.
>
> 2016-06-03 15:55 GMT-03:00 Carter Bullard <carter at qosient.com>:
>
>> And your racluster.conf only has the 2 lines in it ... no other rules !!!
>> Carter
>>
>> On Jun 3, 2016, at 1:21 PM, Raphael Campos Silva <
>> raphaelcampos.rp at gmail.com> wrote:
>>
>> Hello,
>>
>> I checked the file "cleaned_dump.argus" and seems to be OK. The output
>> from "ra -r cleaned_dump.argus - port 53" is the following:
>>
>> StartTime Flgs Proto SrcAddr Sport Dir
>> DstAddr Dport TotPkts TotBytes State
>> 21:53:13.609647 e udp 192.168.100.106.1040 <->
>> 192.168.100.1.domain 2 240 CON
>> 21:53:14.135221 e udp 192.168.100.106.1040 <->
>> 192.168.100.1.domain 2 224 CON
>> 21:53:15.079598 e udp 192.168.100.106.1040 <->
>> 192.168.100.1.domain 2 368 CON
>> 21:53:16.315496 e udp 192.168.100.106.1040 <->
>> 192.168.100.1.domain 2 209 CON
>>
>> Tks,
>>
>>
>> 2016-06-03 10:01 GMT-03:00 Carter Bullard <carter at qosient.com>:
>>
>>> Hey Raphael,
>>> Check that your "cleaned_dump.argus" isn't already cleaned up too much,
>>> and make sure that your racluster.conf only has 2 lines in it. So many
>>> times, the tools do the correct thing, just not what you expect it to do.
>>>
>>> What does the "cleaned_dump.argus" file have in it for domain traffic ?
>>> ra -r cleaned_dump - port 53
>>>
>>> Carter
>>>
>>> On Jun 3, 2016, at 4:46 AM, Raphael Campos Silva <
>>> raphaelcampos.rp at gmail.com> wrote:
>>>
>>> Carter, tks for the answer.
>>>
>>> I tried this but didn't work for me.
>>>
>>> % tail -n 2 /etc/racluster.conf
>>>
>>> filter="port 53" status=0 idle=0
>>>
>>> filter="" model="saddr daddr proto dport sport"
>>>
>>>
>>>
>>> % racluster -f /etc/racluster.conf -r cleaned_dump.argus
>>>
>>> 192.168.100.106.1040 <-> 192.168.100.1.domain 8
>>> 1041
>>>
>>> If I set status and idle to 1, sometimes it works, but not always.
>>>
>>>
>>> Tks.
>>>
>>> 2016-06-02 18:04 GMT-03:00 Carter Bullard <carter at qosient.com>:
>>>
>>>> Hey Raphael,
>>>> Try this racluster.conf …
>>>>
>>>> filter="port 53" status=0 idle=0
>>>> filter="" model="saddr daddr proto dport sport “
>>>>
>>>> and run racluster as;
>>>>
>>>> racluster -f racluster.conf -r file
>>>>
>>>> The status=0 tells racluster.1 not to merge the records together.
>>>> How does that work for you ????
>>>>
>>>> Carter
>>>>
>>>> > On Jun 2, 2016, at 4:18 PM, Raphael Campos Silva via Argus-info <
>>>> argus-info at lists.andrew.cmu.edu> wrote:
>>>> >
>>>> > Hello guys,
>>>> >
>>>> > I'm using racluster for aggregate some http flows, but I don't want
>>>> aggregate DNS flows. By default, racluster aggregate all dns flows, like
>>>> this:
>>>> > % racluster -r cleaned_dump.argus
>>>> >
>>>> > udp 192.168.100.106.1041 <-> 192.168.100.1.domain
>>>> 8 1041 CON
>>>> >
>>>> >
>>>> >
>>>> > For aggregate http, I just used the following filter (with -f option)
>>>> and everthing is O.K.:
>>>> >
>>>> > filter="tcp" model="saddr daddr proto dport sport"
>>>> >
>>>> > I've tried something like this for DNS, but is not working (returns
>>>> ArgusParseAggregator: ArgusNewAggregator returned NULL):
>>>> > filter="udp and dst port 53" model="none"
>>>> >
>>>> > If I don't use the option -f with racluster and pass "-m none" to the
>>>> program, all DNS are correct, but the http flows isn't aggregate.
>>>> >
>>>> > 192.168.100.106.1041 <-> 192.168.100.1.domain 2
>>>> 240
>>>> >
>>>> >
>>>> > 192.168.100.106.1042 -> A.http 7 714
>>>> >
>>>> >
>>>> > 192.168.100.106.1041 <-> 192.168.100.1.domain 2
>>>> 224
>>>> >
>>>> >
>>>> > 192.168.100.106.1041 <-> 192.168.100.1.domain 2
>>>> 368
>>>> >
>>>> >
>>>> > 192.168.100.106.1041 <-> 192.168.100.1.domain 2
>>>> 209
>>>> >
>>>> >
>>>> > 192.168.100.106.1042 -> A.http 2 114
>>>> >
>>>> > I read the racluster manual and tried some configs but I couldn't
>>>> find a solution for this. Probably I miss something.
>>>> > Any suggestion is wellcome.
>>>> >
>>>> > Tks.
>>>> > --
>>>> > Raphael Campos Silva
>>>> > Ciência da Computação - IBILCE Rio Preto - SP
>>>> > Knowledge, exploit it.
>>>> >
>>>>
>>>>
>>>
>>>
>>> --
>>> Raphael Campos Silva
>>> Ciência da Computação - IBILCE Rio Preto - SP
>>> *Knowledge, exploit it.*
>>>
>>>
>>>
>>
>>
>> --
>> Raphael Campos Silva
>> Ciência da Computação - IBILCE Rio Preto - SP
>> *Knowledge, exploit it.*
>>
>>
>>
>
>
> --
> Raphael Campos Silva
> Ciência da Computação - IBILCE Rio Preto - SP
> *Knowledge, exploit it.*
>
>
>
>
--
Raphael Campos Silva
Ciência da Computação - IBILCE Rio Preto - SP
*Knowledge, exploit it.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160604/0ce48a0a/attachment.html>
More information about the argus
mailing list