Preliminary release of my perl scripts for argus-2.0

Carter Bullard carter at qosient.com
Wed Jan 17 09:42:29 EST 2001


Hey Russell,
   Sorry for the delay at looking at your stuff %^o

OK for specifics in getting your package to run.  There
are some modules that a plain perl5 Linux installation
will need, DateManip and libnet-1.0703.  Seems that RH 7.0
doesn't have all the libnet modules installed.  These two
will complete the perl5 modules that are needed.

After that running the scripts plain out of the box generates
errors for look_for and watcher.  scan_watch is well behaved
but of course generates no output.

   I'm getting this when I run 'look_for' on one of my data
directories.  I haven't dived into the Argus::Archive library
but it seems to be a problem there.  My data directory is
not the same format as your, so consider this just simple
runtime testing.

.% /look_for -D ~argus/data
defined(@array) is deprecated at ./look_for line 50.
	(Maybe you should just omit the defined()?)
Use of uninitialized value in string at ./look_for line 51.
Died at ./look_for line 51.

   Watcher () is having a bunch of problems, mostly because
of the paths in Argus.pm.

   We'll need to come to some concensus as to what we want
these entries to be, such as variable names, location of
scripts and the like.  None of these are problems, we just need
to come to agreement.

    For instance, could we use the $ARGUSHOME environment
variable for some of this?  That way we get people to actually
set the variable and take advantage of the features.  Also,
can we use $ARGUSPATH, for some of the path issues in some
of your perl scripts?  argus and ra look for these environment
variable, so we can put them in the documentation and start
to rely on them.  That may solve some problems.

   Scan_watch is looking for archive files in a particular format.
I have a script, mvargusdata.sh, in the ./examples/bin directory
that generates archive files with a different naming scheme
than yours.  It would be nice if we could be consistent between
tools.   The script generates an archive filestructure with
this name convention:

    yyyy/mm/dd/argus.yyyy.mm.dd.hh.mm.ss.gz

It would be great if we had some consistency between tools.
I can change mine, no problem.

More notes to come!!!

Carter

Best Regards,

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426


> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Carter Bullard
> Sent: Monday, January 08, 2001 10:55 PM
> To: Russell Fulton; Argus (E-mail)
> Subject: RE: Preliminary release of my perl scripts for argus-2.0
> 
> 
> Hey Russell,
>    Got it.  I'm going to make an independant directory
> for this stuff so you can manage at your leisure, and
> when we get the CVS server on the argus web site,
> you can manage the code from there.
> 
>    I'll take a look tomorrow afternoon, to install, run
> etc.... and I'll send comments.
> 
> Thanks greatly!!!!!
> 
> Carter
> 
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street, Suite 18K
> New York, New York  10022
> 
> carter at qosient.com
> Phone +1 212 813-9426
> Fax   +1 212 813-9426
> 
> 
> 
> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
> Sent: Monday, January 08, 2001 10:41 PM
> To: Argus (E-mail)
> Subject: Preliminary release of my perl scripts for argus-2.0
> 
> 
> 
> On Mon, 8 Jan 2001 15:05:25 -0500 Carter Bullard <carter at qosient.com> 
> wrote:
> 
> > 
> > If anyone has any code that they would like included
> > in the release, please get that to me this week.
> > 
> 
> OK the time has come to byte the bullet.  Here are my perl 
> scripts and 
> support modules in the uuencoded inclusion.  These scripts are still 
> under active developement as I find out more about new features in 
> Argus 2.0 so I hope there will be some mechanism for updating them in 
> the distribution independent of argus releases.
> 
> Both the major scripts (watcher and scan_watch) have had major work 
> done on them in the last few weeks so treat them with 
> caution.  Watcher 
> had a few lines of code added today to track fragments, this 
> is work in 
> progress.
> 
> Look_for script takes a supplied filter and runs ra with the filter 
> over archived data, you can specify dates to start and finish or you 
> can specify things like today, yesterday, thisweek, lastweek etc.
> 
> the scan detection scripts.
> 
> Why have two scripts for detecting scans?  Well partly belts 
> and braces 
> but mostly because this is an ongoing research project and the two 
> scripts use somewhat different strategies to detect scans.
> 
> Watcher is a 'real time' script that watches output from a 
> live server, 
> scan_watch is an overnight job that processes a days logs in one go.  
> It maintains records of activity for a long time (up to 7 days be 
> default) and thus is capable of spotting very slow scans (I regularly 
> find scans with below 10 probes per day -- there are currently about 
> 80 probing udp-137).  Over the last two weeks I have added udp scan 
> detection.  This is a mixed blessing because there are so 
> many machines 
> infected by worms that scan on port udp-137.  These scans are 
> typically 
> about 10 probes per day but the sheer number of them tends to 
> overwhelm 
> everything else.  You can stop it looking at udp by altering the ra 
> filter to ignore udp.  
> 
> These scripts have been tuned over the last two years to our network 
> traffic volumes, if you put them on a very busy network you will have 
> to tweak the parameters to get the resource usage and sensitivity 
> approriate.  I suspect that scan-watch will not work for those of you 
> who have OC3s, it will simply consume too much memory, but 
> then you may 
> have machines with much more memory than I have. 
> 
> The distribution has two directories: bin and lib,  bin has the 
> executable scripts and lib has the perl modules.  I have 
> tried to move 
> all site specific configuration out into the module files: 
> Argus.pm Argus/Watcher.pm and Argus/Slowscan.pm
> 
> I hope that others will adopt this scheme and convert your 
> perl scripts 
> to use this scheme and, of course, add them to the contrib 
> distribution.
> One thing that made me reluctant in the past to distribute my 
> code was 
> that a good deal of it is necessarily site specific, particularly 
> anything that accesses archived data.  I have attempted to deal with 
> this problem (see Argus::Archive below).
> 
> Argus.pm contains all the generic site specific information 
> (what your 
> local IP address are, where is your usual argus server, etc.)
> 
> Argus/Watcher.pm has addition configuration information for 
> watcher and
> Argus/Slowscan.pm has stuff for scan_watch (you have noticed I can't 
> decide whether to call it slowscan or scanwatch ;-)
> 
> Both scan_watch and look_for read archived argus data and 
> they do this 
> by calling module Argus/Archive.pm.  The idea is that you 
> will need to 
> modify this module to match the layout of your own archive.
> 
> There is also Argus/Support.pm which contains a lot of code that is 
> common to the two major scripts.  Much of this code is to do with 
> formating long lists of IP addresses and port numbers.
> 
> The scripts use a few CPAN modules:
> 
> use Date::Manip;  # handles dates and times
> use Net::SMTP;    # so we can mail reports  -- this is part of libnet 
>                   # bundle which is installed by default on 
> many systems
> use Data::Dumper; # store data structures to disk
> 
> I am not aware of any perl version dependencies -- should run 
> with any 
> reasonably recent version of perl 5.
> 
> I think that about wraps it up.  There are bound to be details I have 
> fogotten so if you have any problems drop me a line.  I will be away 
> from work for the rest of the week (on babysitting duty -- if you can 
> describe keeping an bored 12 yearold out of mischief during school 
> holidays babysitting ;-) I will be checking my mail at least 
> once a day 
> but don't expect lightning response.
> 
> As always comments (positive and negative) welcome.  I particularly 
> want to know what needs to be better documented.  I would also like 
> suggestions on how to automatically set things like the bin 
> dir for ra 
> and lib directory.  Could this be done via make install or configure?
> 
> I would put "enjoy" but I see that a certain large US 
> multinational has 
> now adopted this as their main marketing slogan.  I would not like to 
> give the impression that I support such cultural imperialism ;-) ;-)
> 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010117/1abeedf6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 7288 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010117/1abeedf6/attachment.bin>


More information about the argus mailing list