pcr and

Frank argus-mailinglist-1524134246 at f-block.org
Fri Apr 20 06:39:09 EDT 2018 

Hi,

i'm new to the list and to argus, so i hope i don't repeat already asked
questions.
First of all: i really like the workflow of argus and its functionality.
But i encountered some obstacles that however might also be caused by my
misunderstanding.

Argus server and client version: 3.0.8.2


1. Is it possible that the PCR functionality is broken? I always get a
PCR of -0

ra -r argus.out -s sbytes dbytes pcr | head
SrcBytes  DstBytes  PCRatio
83        126       -0.000000
1644    4213      -0.000000
83        126       -0.000000
194       0         -0.000000
194       0         -0.000000
73        89        -0.000000
73        101       -0.000000
74        60        -0.000000
3351      4025      -0.000000


2. Did i see right that it is not possible to aggregate on the argus
sequence number, or did i overlook something? The main reason i'd
want/need this is for an accurate mean duration time. The best i was
able to accomplish was an aggregation (via racluster) over proto src/dst
addr/port, but this does e.g. not work with ntp queries.
I've set ARGUS_FLOW_STATUS_INTERVAL=1800 , and when i look for long
connections and aggregate with '-m proto saddr sport daddr dport' , i
get a maximum mean time of 1800, as each status message seems to be
treated as a separate flow (at least it looks that way to me). When i
also use -M norep, it works for all connections where the selected
features are unique for the connection, but, as mentioned before, does
not work with ntp connections, or for chatty hosts that use the same
source port for a destination host twice or more.


3. Another issue that i encounter is a weird filtering behaviour.
For example:

ra -r argus.out -- 'not (ip proto udp)'
ra[26153]: 1524219408.776398 filter syntax error: 'not (ip proto udp)'

ra -r argus.out -- 'not (ip proto tcp)'
ra[26219]: 12:19:04.157946 filter syntax error: 'not (ip proto tcp)'

ra -r argus.out -- 'not (ip proto udp or tcp)'
ra[26233]: 12:19:31.355346 filter syntax error: 'not (ip proto udp or ...'

But this works:
ra -r argus.out -- 'not (ip proto "udp")'
ra -r argus.out -- 'not (ip proto 17 or tcp)'
ra -r argus.out -- 'not (ip proto "udp" or tcp)'
ra -r argus.out -- 'not udp and not tcp'


Thanks in advance and regards,
Frank

More information about the argus mailing list