User data

Carter Bullard carter at qosient.com
Wed Feb 28 21:27:38 EST 2001 

Hey Russell,

The argus.conf file is where all the documentation for
the -U option is/has been.  This will change tonight.

With regard to your filter problem, you forgot that
the -w option also takes a filter, so the filter error
you got was with the -w option, not the terminating
filter.  In order to tell argus that the -w doesn't
have a filter you need to put a '-', if you want
the filter to apply to the -w option, then you need to
put it in '"' quotes.  Yeah, it has gotten complicated.

So if you want to filter the incoming packets your
expression should be:

   argus -i sis0 -w data/telnet2 - dst net 130.216 and dst port 23

if you want to get all the packets, but just write out the
specific records.

   argus -i sis0 -w data/telnet2 "dst net 130.216 and dst port 23"


With the -U option.  There is a limit as to how much
data you can collect, and that's around 496 bytes
in each direction.  There will be a hard limit imposed
on input in the final version, but its not there right now.
If we want more sophisticated -U processing, then it will be
in 2.0.1.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
  

> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
> Sent: Wednesday, February 28, 2001 8:03 PM
> To: Argus (E-mail)
> Subject: User data
> 
> 
> I have been playing with collecting user data with argus and 
> have a few 
> comment, a problem and a question:
> 
> The userdata features don't appear to be documented in the argus.8 
> manpage or the usage summary.  I had to look at the source to figure 
> out which flag to use.
> 
> I had problems specifying a filter until I specified -d (daemon mode):
> 
> bash-2.04$ sudo bin/argus_bpf -U200  -i sis0 -w data/telnet 
> -d  dst net 130.216 and dst port 23
> argus_bpf[41033]: started
> 
> bash-2.04$ sudo bin/argus_bpf -U200  -i sis0 -w data/telnet2 
> dst net 130.216 and dst port 23
> ArgusInitClientProcess: client expression: syntax error
> 
> This probably isn't related to userdata.
> 
> and the query:
> 
> I am toying with the idea of snooping all telnet and ftp (control) 
> sessions and piping the data straight to a process which 
> pulls the user 
> name from the user data and saves it with timestamp and 
> addresses.  We 
> have had several compromises where attackers have apearantly simply 
> telnetted to the victim with no evidence of previous breakin (in one 
> case I went back through several months of argus logs looking for 
> evidence) so it would be nice to know which account was abused.
> 
> Anyway, to the problem.  Ftp works fine but does anyone know how much 
> data one has to grab to get passed the setup negotiations?  200 
> chars isn't enough.  
> 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010228/757738b6/attachment.html>

More information about the argus mailing list