What we do with argus

Thu Jun 21 17:46:15 EDT 2001

On Thu, 21 Jun 2001 15:40:40 -0400 Desmond Irvine 
<desmond.irvine at sheridanc.on.ca> wrote:

> What I'm most curious about is how other list members are making use of
> Argus. 

Right, you know about my scan detectoin stuff -- that's really just a 
hobby ;-)

The main reason we run argus is to have a long term audit trail of our 
network traffic.  The next logical question is what do we use this for.

1/ We run snort and argus logs are invaluable in figuring out if an 
exploit attempt succeeded or not -- it isn't infallable but it is 
pretty good.  eg. if you see exploit attempt immediately followed by 
inbound session to high port followed by outbound ftp connection you 
know you've got a problem.  Another example is the sadmind worm:  I 
dumped all traffic from the exploit phase of the attack and grep'ed out 
all the established sessions.  Looking at the logs I quickly 
spotted that some machine had many more sessions than others so I wrote 
a short (10 - 15 lines) perl script that read these ra records and 
counted how many sessions to each host and output the hostnames and 
counts (sorted by number of hits).  The machines fell naturally into 3 
groups:

a/ There were quite a few machines that had large numbers of sessions 
(over 30 and up to 100).  A bit more research showed that nearly all of 
these machines had default install of IIS or were defaced).  THese 
machines were vulnerable to one or more of the attacks the worm used.
b/ There was another sizable group with exactly 15 connections, on 
investigation these turned out to be all running IIS but none were 
defaced.  These machines were not vulnerable.
c/ Lastly a big group that had just a single session. These were 
machines that were running web servers other than IIS.

It took me most of one afternoon to figure all this out but once I had 
it the next time the worm struck I had a list of vulnerable machine in 
about 5 minutes.

2/ We we do find compromised machines we use argus logs to track 
cracker activity and in a few cases we have gone back several months to 
find the original compromise.  Since we installed snort I have not had 
to do this much since we now usually pick up the compromise fast.

3/ we sometime want answers to ad hoc questions like "what proportion 
of our traffic is udp and is it increasing".

4/ I periodically get calls from customers of local ISPs.  "I've just 
installed a personal firewall and it says your web server is attacking 
my machine on <some high numbered port>".  Invariably this is the 
result of a dialup session being dropped and a new user picking up the 
IP, a quick look at the argus logs will confirm this.

We also do per user billing and we could use argus for that but we dont 
because we use Netramet --- which implements the IETF's Real Time 
Traffic Measurement architecture (RTFM).  Netramet was written by Nevil 
Brownlee who lives in the next door office when he is not in San Diego 
at CAIDA.  Netramet does ragator style aggregation (and much more) on a 
remote meter which you read with an snmp agent.  The agregation is much 
more flexible and since the agregation is done on the meter the traffic 
transfer is minimized.  It is however more difficult to set up -- it 
has a programming language to specify the aggregation.

Russell.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand