Argus-2.0 Clients

Russell Fulton r.fulton at auckland.ac.nz
Fri Jul 21 23:13:25 EDT 2000 

On Fri, 21 Jul 2000 13:20:50 -0700 (PDT) David Brumley 
<dbrumley at rtfm.stanford.edu> wrote:

> > On Wed, 19 Jul 2000 08:24:07 -0400 Carter Bullard <carter at qosient.com> 
> > wrote:
> > 
> > > Hey Russell,
> > >    Thanks for the reply!!  Do you think that Argus
> > > has all the information you need, or have you run into
> > > situations where you really needed something more?
> > 
> > Firstly, I don't consider myself to be an expert in this area.  
> > Basically all I have done is write some scripts that do some fairly 
> > obvious things.  I think David, Neil and Peter all know more about the 
> > the low level mechanics of what attackers are doing than I do so I 
> > would be very interested in their opinions of this matter.
> > 
> 
> You give me too much credit :) Since the number of TCP/IP 
combinations is
> almost infinite, it's really hard to say what people are going to do to
> disguise traffic in the long run.  So, I think adding an expression filter
> where you can specify events (as in a chain of TCP/IP packets) and an
> action.

That's the conclusion I came to too. As I have said before, the best 
way that argus can help with this problem is too report *all* packets 
that don't fit into established tcp streams, cause illegal state 
transitions or are illegal in some other way.

Another way of stating this is that it is easier to enumerate the legal 
states (be they flag combination or state transitions) than the 
illegal. 

hmmmm... I guess what Carter is asking for is samples of illegal 
traffic from know tools that should be flagged so he can build up a 
test test that can be used for regression testing.  If that is the case 
then we need to keep it up to date as new tools and techniques emerge.

I have already volunteered to get some samples of nmap scans and finger 
printing.  Are there any other tools which we need samples from?

I seem to remember that the new argus record does have the ability to 
save some packet data.  This would be very useful in regard to 
anomolous traffic.  So when we get 'bad' packets then argus can 
actually keep copies of the headers and possibly payload.

A while back I  commented that what I really wanted was a cross between 
argus and snort, this was one of the things I had in mind.

One other thing that I have wanted to do from time to time in my scan 
detector (which listens on a socket to an argus server in detail mode) 
is to tell 'something' to start capturing a packets stream for me.  I 
tried to do this by forking a process to run tcpdump but in just about 
every case by the time that tcpdump got started the traffic I was 
interested in had ceased -- typically class C scans which last a few 
seconds.

What would be neat would be a process that kept a few minutes buffer of 
network packets (like the modern portable CD players).  With current 
memory prices this is now feasible (at least at the data rates that I 
have to contend with). Then I could do retrospective packet dumps!

This is almost certainly outside the scope of the argus project but if 
anyone know of something that does I woud like to hear. (something else 
to play with in my copious spare time ;-)

Cheers, Russell.

More information about the argus mailing list