argus-clients informal survey

[Desmond Irvine]

Carter Bullard wrote:
> 
> Hey Desmond,
>    Thanks!!!!  I'm busy writing code, fixing bugs, trying
> to answer questions, I really haven't had any time to work
> on documentation, and there isn't much coming from the
> list, so there is a lot that has been left undone!!!
> 
> Any suggestions as to how to tackle this problem?

Unforetunately, no.
 
> Are there problems that you have that you think argus
> should be able to answer but don't know where to start?
> 
> Having a list of problems would be a way to begin the
> process of improving/expanding the HOW-TO sections and
> may help in defining the kind of applications we need to
> write.

Some of what I want may very well be possible with the existing code and
some of it may require new code.  Off the top of my head I'd like to see
things like service profiles (lists of services used and provided by a
machine), the ability to do what if scenarios to see how Cisco like
ACL's would affect the stored traffic flows, traffic summaries (what
activity a machine did in summary form - i.e. I don't want to see each
connection it made to another machine on port 80, but rather a summary
listing saying it made 23 connections to port 80 on the other machine),
the ability to list machines that initiated connections to a
configurable threshold of local machines, the ability to list machines
that attempted to connect to every machine on any subnet, the ability to
list machines that connected to a large number of ports (configurable)
on any one machine.  A lot of this can be accomplished by manipulating
the data Argus collects externally via perl, sql, whatever and maybe
that's where it should be done.

What I'm most curious about is how other list members are making use of
Argus.  I know Russell Fulton has some perl scripts which try to
identify scans (and may do other things - I haven't found the time to
look at them yet).  It would be interesting to find out what everyone
else has been doing with Argus and what home grown tools / processes
they have developed.

> Also getting descriptions of how argus helped a site solve
> a problem would also be good.
> 
> As an example, recently, SpamCop sent email to a site
> administrator indicating that a web machine was sending
> spam email and they wanted it stopped.  A 15 minute glance
> at the sites argus data showed that, an outside machine
> was connecting to the web server on port 80, and miraculously
> a piece of email was sent by the server to an arbitrary
> destination address, and when the email TCP connection was
> over, the port 80 transaction exited.
> 
> The way that I found this was to do a:
>    ra -r archivefile - src host webmachine and tcp and dst port 53
> 
> That gave me a set of connections, one starting at 12:32:13 and one
> starting at 12:35:43.  I then
>    ra -r archivefile - host webmachine -t 12:32-12:32:20
>    ra -r archivefile - host webmachine -t 12:35:30-12:36
> 
> The first returned a set of connections, which had both the port 80
> connection and the email connection both together, the second had
> the exact same relationship, and the third and the fourth.  Bingo,
> an outside machine was exploiting a problem in an HTTP server to
> send spam mail.
> 
> Is this the type of stuff that would help?
 
This is exactly the type of thing that I'm sure people would find
useful.  In my case I use Argus heavily to do post-mortem investigations
of compromised machines so see who has visited the machine especially
when they have erased the local logs.  Once I've determined the
machine(s) that were involved I can follow their path to see what other
local machines they have visited and possibly compromised.

Desmond.

-- 
Desmond Irvine                Security Analyst, Information Technology
Sheridan College              Phone: 905-845-9430 x2035
1430 Trafalgar Road           Fax: 905-815-4011
Oakville, ON  L6H 2L1         EMail: desmond.irvine at sheridanc.on.ca