User data

[Russell Fulton]

I have been playing with collecting user data with argus and have a few 
comment, a problem and a question:

The userdata features don't appear to be documented in the argus.8 
manpage or the usage summary.  I had to look at the source to figure 
out which flag to use.

I had problems specifying a filter until I specified -d (daemon mode):

bash-2.04$ sudo bin/argus_bpf -U200  -i sis0 -w data/telnet -d  dst net 130.216 and dst port 23
argus_bpf[41033]: started

bash-2.04$ sudo bin/argus_bpf -U200  -i sis0 -w data/telnet2 dst net 130.216 and dst port 23
ArgusInitClientProcess: client expression: syntax error

This probably isn't related to userdata.

and the query:

I am toying with the idea of snooping all telnet and ftp (control) 
sessions and piping the data straight to a process which pulls the user 
name from the user data and saves it with timestamp and addresses.  We 
have had several compromises where attackers have apearantly simply 
telnetted to the victim with no evidence of previous breakin (in one 
case I went back through several months of argus logs looking for 
evidence) so it would be nice to know which account was abused.

Anyway, to the problem.  Ftp works fine but does anyone know how much 
data one has to grab to get passed the setup negotiations?  200 
chars isn't enough.  

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand