Does argus record the IP ID field?

Carter Bullard carter at qosient.com
Thu Apr 26 16:45:18 EDT 2001


Hey Chris,
For your specific question about fragments, no, one packet
out of 1,000 being fragmented is not common but it definitely
is not strange.  You are on the right track though, in that most
applications/systems do the same thing a lot of the time,
and if you know this, then you can decide if there is
"strangeness" or not.

I think that there are a number of things that we can do that
we aren't doing now.  For instance, we are not specifically
looking for TCP hijack attempts, but we do have the information
needed to detect, say, an ARP hijack attempt.  In this case,
argus doesn't have to make the decision, but it does have to
report all the needed data.

I think the way to approach your idea is to come up with a
difficult detection situation, and try to see if we can't solve it
with argus, making the appropriate changes along the way.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com <http://qosient.com/>






> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [ mailto:owner-argus-info at lists.andrew.cmu.edu
<mailto:owner-argus-info at lists.andrew.cmu.edu> ]On Behalf Of
> Chris Newton
> Sent: Thursday, April 26, 2001 12:58 PM
> To: Argus (E-mail); Carter Bullard; Russell Fulton
> Subject: RE: Does argus record the IP ID field?
>
>
> Along this line, I wonder if there is a way to add some other
> bitsd of info to
> argus.  Specificaly.. do you think it is possible for argus
> to report on
> traffic 'strangeness'?  By that I mean, saw a flow has
> started normally,
> nothing to raise concern... but, during the flow 1 of the
> packets has illegal
> tcp options set, or the TTL has changed (on that 1 packet) , or it is
> fragmented when others in the flow were not (I presume that
> in 1 given flow,
> that if packets a, b, c are not fragmented, but d is, then e,
> f, g and h are
> not again, that this would be strange, no?).  What I am
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010426/10a3b752/attachment.html>


More information about the argus mailing list