argus and snort ?

Russell Fulton r.fulton at auckland.ac.nz
Mon Sep 11 20:39:36 EDT 2000 

On Mon, 11 Sep 2000 19:40:51 -0400 Carter Bullard <carter at qosient.com> 
wrote:

> 
> So what is snort doing for you guys that is helping?
> Is there some nugget of goodness that we can add to
> argus that will give the same info?
> 

I have been running snort for about two weeks.  I have spent a lot of 
time trimming out rules with high false +ve rates -- I've dumped most 
of the web and mail stuff.  

During that time snort did pick up two attempts to expliot the sgi 
Telnet bug -- one of these was successful (I wonder how many there 
were before I got snort up). In this case I was able to get hold of the 
administrator and he quickly confirmed the box was 'r00ted'.  We would 
have not found out until the attackers did something obvious with the 
box in question without snort or something similiar (or a much tighter 
system administration precedures -- the clues were there when they 
looked i.e no SYSLOG :( ).

What I want to use snort for is for detecting attacks such as buffer 
overflows which have fairly easily recognisable fingerprints.  

The patter of activity I see from crackers now falls into two classes. 
Reconnaissance/target selection which usually consist of widespread 
scans that we see in our argus logs everday and actual attacks which 
come from completely different addresses.  The follow up telnet session 
are usually from another address.  (this was the case with our last 
compromise).

Argus is great for finding patterns in traffic that indicate probing -- 
I have just detected a scan from Israel 62.0.55.65 (if you want to look 
;-) which is probing POP and IMAP ports on about 5 to 10 addresses per 
day (there is also, what I believe to be, background decoy traffic at 
about 5 packets per hour).  What argus can't do is detect one telnet 
session from a Brazilian university machine that compromised our sgi 
box.  (Actually they had 3 goes before they succeeded, presumably 
trying different offsets).  

31 Aug 00 21:00:03      tcp   143.107.99.55.4023  <-> 
130.216.185.206.23    1      1       0         12       sSE
31 Aug 00 20:59:38 d    tcp   143.107.99.55.4024  <-> 
130.216.185.206.23    16     15      312       226      sSE
31 Aug 00 21:02:00      tcp   143.107.99.55.4024   -> 
130.216.185.206.23    2      2       0         0        sSEFC
31 Aug 00 21:03:00 d    tcp   143.107.99.55.4026   -> 
130.216.185.206.23    9      10      230       78       sSEFC
31 Aug 00 21:02:07 *    tcp   143.107.99.55.4025  <-> 
130.216.185.206.23    14     13      260       126      sSEFC

This was followed a few seconds later by telnet sessions for a UK dialup
ISP (who never responded to my complaints, sigh...)

What I am trying to say here is that snort and argus do fundamentally 
different things and should stick to what they do best.  I have come to 
the conclusion, after some thought, that I would rather have two tools 
that each do their particular job well than on which does both jobs 
less well (even if it isnt badly).

Russell.

More information about the argus mailing list