ra output intrepretation

Russell Fulton r.fulton at auckland.ac.nz
Wed Jun 23 19:10:21 EDT 1999


Greetings All,
	     I run two argus servers, one in detail mode and one not.
(To be complete the one in detail mode is 1.7be and the other one
is 1.8 code).

The data here comes from the port scan of a machine (130.216.85.131)
that should be invisible (except for pings) from the outside.  I will
present data for one connection from both logs and would like an
explaination of what it actually means.  I am confused (if that isn't
already appearent ;-)

First data from server in detail mode:

argus at k-meter argus]$ grep '\.80 ' june/139.80.75.71 
Wed 06/23 16:03:09     icmp    xxx.yy.75.71        ->  130.216.85.131       1      0                          ECO
Wed 06/23 16:03:09     icmp    xxx.yy.75.71       <->  130.216.85.131       1      1                          ECO
Wed 06/23 16:03:24      tcp    xxx.yy.75.71.41325 <?>  130.216.85.131.80    1      0       0         0        EST
Wed 06/23 16:03:24      tcp    xxx.yy.75.71.41325 <|   130.216.85.131.80    0      1       0         0        RST

the same session reported by the other server was:

Wed 06/23 16:03:09     icmp    xxx.yy.75.71       <->  130.216.85.131       1      1                          ECO
Wed 06/23 16:03:24      tcp    xxx.yy.75.71.41325 <|   130.216.85.131.80    1      1       0         0        RST

This caught my eye because traffic to that address should be blocked
at our packet filter (the argus machines are outside the packet
filter).

These are the first packets of the scan i.e. a ping followed by a tcp
packet to port 80.  These were followed by a normal port scan with
ports probed in random order.

My guess is that the inital probe to port 80 had some illegal combination of flags which has confused ra and caused something (our packet filter ?) to send a reset.

Is there anyway to glean more information from these records using
existing tools?

Any other ideas?

Cheers, Russell.



More information about the argus mailing list