Preliminary release of my perl scripts for argus-2.0

Carter Bullard carter at qosient.com
Mon Jan 8 22:54:47 EST 2001 

Hey Russell,
   Got it.  I'm going to make an independant directory
for this stuff so you can manage at your leisure, and
when we get the CVS server on the argus web site,
you can manage the code from there.

   I'll take a look tomorrow afternoon, to install, run
etc.... and I'll send comments.

Thanks greatly!!!!!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426



-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
Sent: Monday, January 08, 2001 10:41 PM
To: Argus (E-mail)
Subject: Preliminary release of my perl scripts for argus-2.0



On Mon, 8 Jan 2001 15:05:25 -0500 Carter Bullard <carter at qosient.com> 
wrote:

> 
> If anyone has any code that they would like included
> in the release, please get that to me this week.
> 

OK the time has come to byte the bullet.  Here are my perl scripts and 
support modules in the uuencoded inclusion.  These scripts are still 
under active developement as I find out more about new features in 
Argus 2.0 so I hope there will be some mechanism for updating them in 
the distribution independent of argus releases.

Both the major scripts (watcher and scan_watch) have had major work 
done on them in the last few weeks so treat them with caution.  Watcher 
had a few lines of code added today to track fragments, this is work in 
progress.

Look_for script takes a supplied filter and runs ra with the filter 
over archived data, you can specify dates to start and finish or you 
can specify things like today, yesterday, thisweek, lastweek etc.

the scan detection scripts.

Why have two scripts for detecting scans?  Well partly belts and braces 
but mostly because this is an ongoing research project and the two 
scripts use somewhat different strategies to detect scans.

Watcher is a 'real time' script that watches output from a live server, 
scan_watch is an overnight job that processes a days logs in one go.  
It maintains records of activity for a long time (up to 7 days be 
default) and thus is capable of spotting very slow scans (I regularly 
find scans with below 10 probes per day -- there are currently about 
80 probing udp-137).  Over the last two weeks I have added udp scan 
detection.  This is a mixed blessing because there are so many machines 
infected by worms that scan on port udp-137.  These scans are typically 
about 10 probes per day but the sheer number of them tends to overwhelm 
everything else.  You can stop it looking at udp by altering the ra 
filter to ignore udp.  

These scripts have been tuned over the last two years to our network 
traffic volumes, if you put them on a very busy network you will have 
to tweak the parameters to get the resource usage and sensitivity 
approriate.  I suspect that scan-watch will not work for those of you 
who have OC3s, it will simply consume too much memory, but then you may 
have machines with much more memory than I have. 

The distribution has two directories: bin and lib,  bin has the 
executable scripts and lib has the perl modules.  I have tried to move 
all site specific configuration out into the module files: 
Argus.pm Argus/Watcher.pm and Argus/Slowscan.pm

I hope that others will adopt this scheme and convert your perl scripts 
to use this scheme and, of course, add them to the contrib distribution.
One thing that made me reluctant in the past to distribute my code was 
that a good deal of it is necessarily site specific, particularly 
anything that accesses archived data.  I have attempted to deal with 
this problem (see Argus::Archive below).

Argus.pm contains all the generic site specific information (what your 
local IP address are, where is your usual argus server, etc.)

Argus/Watcher.pm has addition configuration information for watcher and
Argus/Slowscan.pm has stuff for scan_watch (you have noticed I can't 
decide whether to call it slowscan or scanwatch ;-)

Both scan_watch and look_for read archived argus data and they do this 
by calling module Argus/Archive.pm.  The idea is that you will need to 
modify this module to match the layout of your own archive.

There is also Argus/Support.pm which contains a lot of code that is 
common to the two major scripts.  Much of this code is to do with 
formating long lists of IP addresses and port numbers.

The scripts use a few CPAN modules:

use Date::Manip;  # handles dates and times
use Net::SMTP;    # so we can mail reports  -- this is part of libnet 
                  # bundle which is installed by default on many systems
use Data::Dumper; # store data structures to disk

I am not aware of any perl version dependencies -- should run with any 
reasonably recent version of perl 5.

I think that about wraps it up.  There are bound to be details I have 
fogotten so if you have any problems drop me a line.  I will be away 
from work for the rest of the week (on babysitting duty -- if you can 
describe keeping an bored 12 yearold out of mischief during school 
holidays babysitting ;-) I will be checking my mail at least once a day 
but don't expect lightning response.

As always comments (positive and negative) welcome.  I particularly 
want to know what needs to be better documented.  I would also like 
suggestions on how to automatically set things like the bin dir for ra 
and lib directory.  Could this be done via make install or configure?

I would put "enjoy" but I see that a certain large US multinational has 
now adopted this as their main marketing slogan.  I would not like to 
give the impression that I support such cultural imperialism ;-) ;-)

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the argus mailing list