argus-clients informal survey

Carter Bullard carter at qosient.com
Thu Jun 21 13:44:26 EDT 2001


Hey Desmond,
   Thanks!!!!  I'm busy writing code, fixing bugs, trying
to answer questions, I really haven't had any time to work
on documentation, and there isn't much coming from the
list, so there is a lot that has been left undone!!!

Any suggestions as to how to tackle this problem?

Are there problems that you have that you think argus
should be able to answer but don't know where to start?

Having a list of problems would be a way to begin the
process of improving/expanding the HOW-TO sections and
may help in defining the kind of applications we need to
write.

Also getting descriptions of how argus helped a site solve
a problem would also be good.

As an example, recently, SpamCop sent email to a site
administrator indicating that a web machine was sending
spam email and they wanted it stopped.  A 15 minute glance
at the sites argus data showed that, an outside machine
was connecting to the web server on port 80, and miraculously
a piece of email was sent by the server to an arbitrary
destination address, and when the email TCP connection was
over, the port 80 transaction exited.

The way that I found this was to do a:
   ra -r archivefile - src host webmachine and tcp and dst port 53

That gave me a set of connections, one starting at 12:32:13 and one
starting at 12:35:43.  I then
   ra -r archivefile - host webmachine -t 12:32-12:32:20
   ra -r archivefile - host webmachine -t 12:35:30-12:36

The first returned a set of connections, which had both the port 80
connection and the email connection both together, the second had
the exact same relationship, and the third and the fourth.  Bingo,
an outside machine was exploiting a problem in an HTTP server to
send spam mail.


Is this the type of stuff that would help?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

 

> -----Original Message-----
> From: Desmond Irvine [mailto:desmond.irvine at sheridanc.on.ca] 
> Sent: Thursday, June 21, 2001 1:22 PM
> To: Carter Bullard
> Cc: 'argus'
> Subject: Re: argus-clients informal survey
> 
> 
> Carter Bullard wrote:
>  
> <snip> 
> 
> > I'm pretty much of the opinion that the awareness of Argus and its 
> > ability to solve real problems for people is where the work 
> needs to 
> > be done.  Although we've got QoSient, Debian, and FreeBSD 
> distributing 
> > Argus now, we don't have a HUGE following, like I think we 
> could have.  
> > Its hard to remember that Argus-2.0 has really only been out for 3 
> > months now, but Argus should be getting more attention than it has.
> 
> <snip> 
> 
> > I believe that I need to be doing what is needed to draw
> > more people into Argus, to use it to solve their problems.
> > I think that means more applications, rather than to
> > continue to tweak the data generation itself.
> > 
> > Any opinions?
> 
> As a somewhat newbie Argus user and lurker on the list I'd 
> like to throw in my two cents.  I'm using Argus right now, 
> but only to the bare minimum in that when I have something to 
> investigate I go through my argus logs and look for specific 
> things using ra.  I'd like to go beyond this and do a lot 
> more pro-active monitoring, but I'm not sure where to start.  
> Most of the documents I've seen on the net about using Argus 
> refer to older versions of Argus with different client 
> programs (raservices).  For Argus to become more attractive I 
> personally think there need to be more "cookbook" examples of 
> how to make use of it. 
> Argus gives us an overwhelming amount of data to play with, 
> but there don't seem to be a lot of real world examples 
> available of what can be done with it.
> 
> Desmond.
> 
> -- 
> Desmond Irvine                Security Analyst, Information Technology
> Sheridan College              Phone: 905-845-9430 x2035
> 1430 Trafalgar Road           Fax: 905-815-4011
> Oakville, ON  L6H 2L1         EMail: desmond.irvine at sheridanc.on.ca
> 



More information about the argus mailing list