Does argus record the IP ID field?

Chris Newton newton at unb.ca
Thu Apr 26 12:58:11 EDT 2001 

Along this line, I wonder if there is a way to add some other bitsd of info to 
argus.  Specificaly.. do you think it is possible for argus to report on 
traffic 'strangeness'?  By that I mean, saw a flow has started normally, 
nothing to raise concern... but, during the flow 1 of the packets has illegal 
tcp options set, or the TTL has changed (on that 1 packet) , or it is 
fragmented when others in the flow were not (I presume that in 1 given flow, 
that if packets a, b, c are not fragmented, but d is, then e, f, g and h are 
not again, that this would be strange, no?).  What I am getting at is this...  
signalling possible insertion and evasion techniques used by hackers to get 
past intrusion detection systems.  There is lots of weirdness tracked by argus 
now... I'm wondering if it can be extended...   I think it wouldn't be hard, 
but... I didn't write the code :).  I figure, since we are seeing all the 
packets in a flow now anyways, we can tag the ones that are weird (like 
examples above) pretty easily.


>===== Original Message From <carter at qosient.com> =====
>Hey Russell,
>   For all IP flows we track the ip_id, but we only report it
>currently for some ICMP flows and fragmentOnly flows.
>
>   Adding it is not a problem at all.  There is a place for
>one ip_id in the basic IP flow descriptor.  But that would
>be only one ip_id.  In this case we could report the last src
>or dst ip_id or just the last ip_id seen on the flow, (either
>src or dst).
>
>   If you want the ip_id for both directions, I only have
>to make a small change to the FlowAttributes data structure.
>This will generate a version issue, but I can handle that
>without any trouble.  In this case would you want the
>last ip_id seen or the first one seen for the period?
>
>Carter
>
>Carter Bullard
>QoSient, LLC
>300 E. 56th Street, Suite 18K
>New York, New York  10022
>
>carter at qosient.com
>Phone +1 212 588-9133
>Fax   +1 212 588-9134
>http://qosient.com
>
>> -----Original Message-----
>> From: owner-argus-info at lists.andrew.cmu.edu
>> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of Russell
>> Fulton
>> Sent: Wednesday, April 25, 2001 9:16 PM
>> To: Argus (E-mail)
>> Subject: Does argus record the IP ID field?
>>
>>
>> Subject says it all.  I am tracking some weird traffic, one of the
>> characteristics is that all packets from several different
>> sources have
>> the same IP ID.  I have been capturing samples using tcpdump and I am
>> now going back through my archived data to see when this started.
>> Having the ID would help positively identify the traffic.
>>
>> Cheers, Russell
>>
>>

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Chris Newton, Systems Analyst
Computing Services, University of New Brunswick
newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)

More information about the argus mailing list