TCP state flags
Carter Bullard
carter at qosient.com
Tue Sep 5 21:37:52 EDT 2000
Gentle people (especially Russell).
I'm doing the TCP state flags even now as I write,
and I'd like to add one more character to Russell's
encodings. I know, I know, where have I been
until now ;O)
I'd like to add an explicit FIN/ACK indicator so I
can discriminate between connections that get RST's
after a FIN or FIN/ACK. Pretty esoteric, but this
would work for me. This was/is not possible with
the existing state machine status reports, so I'm
going to rework the TCP state machine to do this.
Is this cool?
Carter
sSEfFCR
s == SYN Sent
S == SYN/ACK seen
E == Established
f == FIN Seen
F == FIN/ACK Seen
C == Completed
R == RESET
-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
Sent: Tuesday, August 01, 2000 1:08 AM
To: argus
Subject: Re: RE: patch for 1.8.1
On Tue, 1 Aug 2000 00:22:08 -0400 Mark Poepping <poepping at cmu.edu>
wrote:
>
> I combined the two patches and posted..
>
> ftp://ftp.andrew.cmu.edu/pub/argus/argus-1.8.1
>
> One of these days we'll do the sig stamps again..
> mark.
>
>
Hmmm... since we are talking patches...
I have a patch which affects ra output
a/ changes the format of the date displayed in ra. It does this by
replacing static strings passed to strftime with a define which is set
in one of the top level includes. My format looks like this:
'31 Jul 00 00:41:31' and avoids the ambiguity of english/american
format.
I changed this after several occasions when I missreported incident
times/dates by cut/pasting times from argus logs. Sigh...
So the current patch allows one to set the timestamp format at compile
time. An alternative/addition would be to use yet another flag to pass
the format string to ra. This is probably the best way to do it. I.e.
you get to specify the default format at compile time and if you want
to override it you say ra -D <fmt string> .... This would work well
for my scripts which invoke ra (and sometime extract time stamps). We
could make <fmt string> "English", 'American', 'International' or
<strftime fmt> to save having to muck around with strftime formats.
b/ I have added -z (we are running out of flags!) flag that tells ra to
print more tcp status information. Status field looks like this for
normal tcp session:
sSEFC
s == SYN Sent
S == SYN/ACK seen
E == Established
F == FIN Seen
C == Completed
Also R == RST Seen -- look at the <> to see which direction.
Note: this breaks the 80 column limit for some records...
Here are some probes from an ongoing distributed scan we are
currently experiencing...
31 Jul 00 15:52:10 s tcp 212.179.30.13.23226 -> 130.216.4.18.110
5 0 0 0 s
31 Jul 00 15:54:47 tcp 212.179.30.13.20184 <| 130.216.196.18.143
1 1 0 0 sR
31 Jul 00 15:58:28 s tcp 212.179.30.13.20600 -> 130.216.20.18.143
5 0 0 0 s
31 Jul 00 15:59:37 s tcp 212.179.30.13.20728 -> 130.216.148.18.110
5 0 0 0 s
31 Jul 00 16:01:36 s tcp 212.179.30.13.20950 -> 130.216.52.18.110
5 0 0 0 s
31 Jul 00 16:02:57 s tcp 212.179.30.13.21101 -> 130.216.116.18.110
5 0 0 0 s
31 Jul 00 16:04:09 s tcp 212.179.30.13.21234 -> 130.216.12.18.143
5 0 0 0 s
31 Jul 00 16:09:52 s tcp 212.179.30.13.21864 -> 130.216.28.18.143
5 0 0 0 s
31 Jul 00 16:12:24 s tcp 212.179.30.13.22140 -> 130.216.60.18.143
5 0 0 0 s
31 Jul 00 16:13:48 s tcp 212.179.30.13.22294 -> 130.216.124.18.143
5 0 0 0 s
31 Jul 00 16:19:33 tcp 212.179.30.13.22917 <| 130.216.162.18.143
1 1 0 0 sR
31 Jul 00 16:18:30 s tcp 212.179.30.13.22804 -> 130.216.34.18.143
2 0 0 0 s
I make use of this state info in my scan detection programs to weed out
random garbage. (like third party affects of DoS, stray FINs from old
sessions etc.)
I would very much like to get these patches into the standard
distribution as it would make it much easier for others to use my scan
detection scripts.
If there is interest I will build a new patch set against the 1.8.1
source and submit them.
Cheers, Russell.
More information about the argus
mailing list