argus-clients informal survey

Carter Bullard carter at qosient.com
Thu Jun 21 16:21:36 EDT 2001


Hey Desmond,
   Well, where there is a will there is a way.  Some
of what you are looking for is already there or coming,
but just seeing the list for me is the most important
thing.

   rapolicy() is your Cisco ACL checking list,
and its in the argus-clients-2.0.1.alpha.6 tarfile.
There is a program rasrvstats() that will do what
you want in terms of servers, ports clients and the
number of connections, etc.  I took it out of the
argus-clients release because of bugs, but it will
be back in alpha.7.

   If you are willing to help define some of these
tools, we could get them out pretty quick.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

   

> -----Original Message-----
> From: Desmond Irvine [mailto:desmond.irvine at sheridanc.on.ca] 
> Sent: Thursday, June 21, 2001 3:41 PM
> To: Carter Bullard
> Cc: 'argus'
> Subject: Re: argus-clients informal survey
> 
> 
> Carter Bullard wrote:
> > 
> > Hey Desmond,
> >    Thanks!!!!  I'm busy writing code, fixing bugs, trying
> > to answer questions, I really haven't had any time to work
> > on documentation, and there isn't much coming from the
> > list, so there is a lot that has been left undone!!!
> > 
> > Any suggestions as to how to tackle this problem?
> 
> Unfortunately, no.
>  
> > Are there problems that you have that you think argus
> > should be able to answer but don't know where to start?
> > 
> > Having a list of problems would be a way to begin the
> > process of improving/expanding the HOW-TO sections and
> > may help in defining the kind of applications we need to write.
> 
> Some of what I want may very well be possible with the 
> existing code and some of it may require new code.  Off the 
> top of my head I'd like to see things like service profiles 
> (lists of services used and provided by a machine), the 
> ability to do what if scenarios to see how Cisco like ACL's 
> would affect the stored traffic flows, traffic summaries 
> (what activity a machine did in summary form - i.e. I don't 
> want to see each connection it made to another machine on 
> port 80, but rather a summary listing saying it made 23 
> connections to port 80 on the other machine), the ability to 
> list machines that initiated connections to a configurable 
> threshold of local machines, the ability to list machines 
> that attempted to connect to every machine on any subnet, the 
> ability to list machines that connected to a large number of 
> ports (configurable) on any one machine.  A lot of this can 
> be accomplished by manipulating the data Argus collects 
> externally via perl, sql, whatever and maybe that's where it 
> should be done.
> 
> What I'm most curious about is how other list members are 
> making use of Argus.  I know Russell Fulton has some perl 
> scripts which try to identify scans (and may do other things 
> - I haven't found the time to look at them yet).  It would be 
> interesting to find out what everyone else has been doing 
> with Argus and what home grown tools / processes they have developed.
> 
> > Also getting descriptions of how argus helped a site solve
> > a problem would also be good.
> > 
> > As an example, recently, SpamCop sent email to a site administrator 
> > indicating that a web machine was sending spam email and 
> they wanted 
> > it stopped.  A 15 minute glance at the sites argus data 
> showed that, 
> > an outside machine was connecting to the web server on port 80, and 
> > miraculously a piece of email was sent by the server to an arbitrary
> > destination address, and when the email TCP connection was
> > over, the port 80 transaction exited.
> > 
> > The way that I found this was to do a:
> >    ra -r archivefile - src host webmachine and tcp and dst port 53
> > 
> > That gave me a set of connections, one starting at 12:32:13 and one 
> > starting at 12:35:43.  I then
> >    ra -r archivefile - host webmachine -t 12:32-12:32:20
> >    ra -r archivefile - host webmachine -t 12:35:30-12:36
> > 
> > The first returned a set of connections, which had both the port 80 
> > connection and the email connection both together, the 
> second had the 
> > exact same relationship, and the third and the fourth.  Bingo, an 
> > outside machine was exploiting a problem in an HTTP server to send 
> > spam mail.
> > 
> > Is this the type of stuff that would help?
>  
> This is exactly the type of thing that I'm sure people would 
> find useful.  In my case I use Argus heavily to do 
> post-mortem investigations of compromised machines so see who 
> has visited the machine especially when they have erased the 
> local logs.  Once I've determined the
> machine(s) that were involved I can follow their path to see 
> what other local machines they have visited and possibly compromised.
> 
> Desmond.
> 
> -- 
> Desmond Irvine                Security Analyst, Information Technology
> Sheridan College              Phone: 905-845-9430 x2035
> 1430 Trafalgar Road           Fax: 905-815-4011
> Oakville, ON  L6H 2L1         EMail: desmond.irvine at sheridanc.on.ca
> 



More information about the argus mailing list