Argus-2.0 Clients

David Brumley dbrumley at rtfm.stanford.edu
Fri Jul 21 16:20:50 EDT 2000 

> On Wed, 19 Jul 2000 08:24:07 -0400 Carter Bullard <carter at qosient.com> 
> wrote:
> 
> > Hey Russell,
> >    Thanks for the reply!!  Do you think that Argus
> > has all the information you need, or have you run into
> > situations where you really needed something more?
> 
> Firstly, I don't consider myself to be an expert in this area.  
> Basically all I have done is write some scripts that do some fairly 
> obvious things.  I think David, Neil and Peter all know more about the 
> the low level mechanics of what attackers are doing than I do so I 
> would be very interested in their opinions of this matter.
> 

You give me too much credit :)  Since the number of TCP/IP combinations is
almost infinite, it's really hard to say what people are going to do to
disguise traffic in the long run.  So, I think adding an expression filter
where you can specify events (as in a chain of TCP/IP packets) and an
action.

For example, some DDOS clients use ICMP ECHO_REPLY to communicate.  There
are two ways you can go about this:
1. If you see an echo_reply without an echo_request, raise an
event.  So, in any stream if this pattern is matched raise a warning or
something. psuedo code:
  [ in any ICMP stream where ICMP_ECHOREPLY seen and not ICMP_ECHO write
logs/covert_icmp.%d%m%s]

or, for fragement hidden streams:
  [ in any TCP stream where NUM_FRAGMENTS > 20 in 10 minutes write
logs/covert_fragments_%d%m%s]

2. A little different perspective would be saying alert me when you see a
packet of a certain type and some size.  Since most ping's put struct tm
in the data section, you could specify an event where ECHOREPLY's data was
greater or less than this struct size.  Of course those sizes may change a
bit depending on the OS, but I think it's a good first approximation.

More or less, it seems like you're going to want to encorporate some ngrep
type features into argus.
  

cheers,
david

#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
	    "I have opinions, my employer does not."

More information about the argus mailing list