[netsa-tools-discuss] Using rwfilter --flags-inital to fitler servers and clients addresses
asad
a.alii85 at gmail.com
Mon Oct 26 11:03:46 EDT 2015
Mark-
This begs the question that how I change the command to suit its purpose,
I'm not using YAF but I have seen in analyst handbook there are examples
using all-flags without ever mentioning YAF involvement.
So, for this case to work what should I be changing in my command?
On Mon, Oct 26, 2015 at 7:05 PM, Mark Thomas <mthomas at cert.org> wrote:
> asad-
>
> The "initialFlags" field of the SiLK flow record (which is the field
> checked by the --flags-initial switch on rwfilter) is only populated
> when the flow record was converted from an IPFIX record generated by
> YAF.
>
> Unless you are using YAF as your flow generator, the initialFlags
> field is always empty.
>
> -Mark
>
>
> -----Original Message-----
> From: asad <a.alii85 at gmail.com>
> Date: Mon, 26 Oct 2015 13:43:15 +0500
> To: <netsa-tools-discuss at cert.org>
> Subject: [netsa-tools-discuss] Using rwfilter --flags-inital to fitler
> servers and clients addresses
>
> Hello,
>
> I'm processing nexsus 7k logs, and on 1 vlan I have tried to filter
> all those IP addresses that are responsible for initial query
> (handshake). My cmd and results looks like
>
> "rwfilter --sensor=S1 --type=int2int --start-date=2015/10/15
> --end-date=2015/10/23 --flags-initial=S/SA --print-statistics
> --pass=query.rw
> Files 216. Read 35403. Pass 0. Fail 35403."
>
> If the filter is correct, it means I don't have a client in my VLAN
> all are servers?Can this query be converted to identity list of source
> IP addresses which requested connection to the servers in specific
> vlan?
>
> Thanks.
>
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list