patch for 1.8.1

Russell Fulton r.fulton at auckland.ac.nz
Tue Aug 1 01:08:01 EDT 2000


On Tue, 1 Aug 2000 00:22:08 -0400 Mark Poepping <poepping at cmu.edu> 
wrote:

> 
> I combined the two patches and posted..
> 
> ftp://ftp.andrew.cmu.edu/pub/argus/argus-1.8.1
> 
> One of these days we'll do the sig stamps again..
> mark.
> 
> 

Hmmm... since we are talking patches...

I have a patch which affects ra output

a/ changes the format of the date displayed in ra.  It does this by 
replacing static strings passed to strftime with a define which is set 
in one of the top level includes.  My format looks like this:
'31 Jul 00 00:41:31' and avoids the ambiguity of english/american 
format.

I changed this after several occasions when I missreported incident 
times/dates by cut/pasting times from argus logs.  Sigh...

So the current patch allows one to set the timestamp format at compile 
time.  An alternative/addition would be to use yet another flag to pass 
the format string to ra.  This is probably the best way to do it.  I.e. 
you get to specify the default format at compile time and if you want 
to override it you say ra -D <fmt string> ....  This would work well 
for my scripts which invoke ra (and sometime extract time stamps).  We 
could make <fmt string> "English", 'American', 'International' or 
<strftime fmt> to save having to muck around with strftime formats.

b/ I have added -z (we are running out of flags!) flag that tells ra to 
print more tcp status information. Status field looks like this for 
normal tcp session:

sSEFC

s == SYN Sent
S == SYN/ACK seen
E == Established
F == FIN Seen
C == Completed

Also R == RST Seen -- look at the <> to see which direction.

Note: this breaks the 80 column limit for some records...

Here are some probes from an ongoing distributed scan we are 
currently experiencing...

31 Jul 00 15:52:10 s    tcp   212.179.30.13.23226  ->    130.216.4.18.110   5      0       0         0        s
31 Jul 00 15:54:47      tcp   212.179.30.13.20184 <|   130.216.196.18.143   1      1       0         0        sR
31 Jul 00 15:58:28 s    tcp   212.179.30.13.20600  ->   130.216.20.18.143   5      0       0         0        s
31 Jul 00 15:59:37 s    tcp   212.179.30.13.20728  ->  130.216.148.18.110   5      0       0         0        s
31 Jul 00 16:01:36 s    tcp   212.179.30.13.20950  ->   130.216.52.18.110   5      0       0         0        s
31 Jul 00 16:02:57 s    tcp   212.179.30.13.21101  ->  130.216.116.18.110   5      0       0         0        s
31 Jul 00 16:04:09 s    tcp   212.179.30.13.21234  ->   130.216.12.18.143   5      0       0         0        s
31 Jul 00 16:09:52 s    tcp   212.179.30.13.21864  ->   130.216.28.18.143   5      0       0         0        s
31 Jul 00 16:12:24 s    tcp   212.179.30.13.22140  ->   130.216.60.18.143   5      0       0         0        s
31 Jul 00 16:13:48 s    tcp   212.179.30.13.22294  ->  130.216.124.18.143   5      0       0         0        s
31 Jul 00 16:19:33      tcp   212.179.30.13.22917 <|   130.216.162.18.143   1      1       0         0        sR
31 Jul 00 16:18:30 s    tcp   212.179.30.13.22804  ->   130.216.34.18.143   2      0       0         0        s

I make use of this state info in my scan detection programs to weed out 
random garbage. (like third party affects of DoS, stray FINs from old 
sessions etc.)

I would very much like to get these patches into the standard 
distribution as it would make it much easier for others to use my scan 
detection scripts.

If there is interest I will build a new patch set against the 1.8.1 
source and submit them.

Cheers, Russell.



More information about the argus mailing list