argus-clients informal survey
Peter Van Epp
vanepp at sfu.ca
Fri Jun 22 00:51:10 EDT 2001
>
> Carter Bullard wrote:
>
> <snip>
>
> > I'm pretty much of the opinion that the awareness of Argus
> > and its ability to solve real problems for people is where
> > the work needs to be done. Although we've got QoSient,
> > Debian, and FreeBSD distributing Argus now, we don't have a
> > HUGE following, like I think we could have. Its hard to
> > remember that Argus-2.0 has really only been out for 3 months
> > now, but Argus should be getting more attention than it has.
>
> <snip>
I guess thats my cue to admit that I've committed to doing an article
for Usenix/Sage's Login: on what you can do with a complete record of what
went in and out of your network (and suprise suprise whats the only way I
know to collect that information?)
>
> > I believe that I need to be doing what is needed to draw
> > more people into Argus, to use it to solve their problems.
> > I think that means more applications, rather than to
> > continue to tweak the data generation itself.
> >
> > Any opinions?
>
> As a somewhat newbie Argus user and lurker on the list I'd like to throw
> in my two cents. I'm using Argus right now, but only to the bare
> minimum in that when I have something to investigate I go through my
> argus logs and look for specific things using ra. I'd like to go beyond
> this and do a lot more pro-active monitoring, but I'm not sure where to
> start. Most of the documents I've seen on the net about using Argus
> refer to older versions of Argus with different client programs
> (raservices). For Argus to become more attractive I personally think
> there need to be more "cookbook" examples of how to make use of it.
> Argus gives us an overwhelming amount of data to play with, but there
> don't seem to be a lot of real world examples available of what can be
> done with it.
>
> Desmond.
>
> --
> Desmond Irvine Security Analyst, Information Technology
> Sheridan College Phone: 905-845-9430 x2035
> 1430 Trafalgar Road Fax: 905-815-4011
> Oakville, ON L6H 2L1 EMail: desmond.irvine at sheridanc.on.ca
>
While I'm not sure your current use isn't the right one (collect the
data, only use it if you must :-)) Here are a couple of suggestions:
collect port scans. By and large they aren't interesting, but some of
them are. The first one (address changed to protect the guilty) turned out
to be Sub7 on a PC being used to scan outbound (as opposed to one of my kiddies
playing "you bet your account"). Russell's watcher script is probably a better
bet for this. Figuring out a successful stratigy is being suprisingly hard
(as is getting time to install and try watcher :-)).
This is generated by perl from ra output. The first address is the
source, then the net. dst port and number of addresses on the net probed.
This wants to reduce (much much later :-)) to add any scan with an internal
source to the "whackem high" file (successful or not), add any address with an
outside source to the suspicious file (and flag all future connections as
potentially an attack) but if there was no reply from the inside otherwise
ignore it. Anything that gets a reply from the inside goes in the immediately
suspicious file for human review in case its an attack (a lot won't be but
some will). Adjust to suit how much time you have available.
- 142.58.xxx.yy
61.139.227. 137 3
61.139.226. 8484 254
61.139.227. 8484 254
61.139.228. 8484 254
- 211.185.198.50
206.12.128. 111 255
206.12.17. 111 255
- 12.1.225.4
206.12.128. 2223 254
206.12.17. 2223 234
- 154.13.1.96
199.60.1. icmp 12
199.60.10. icmp 13
199.60.11. icmp 10
199.60.12. icmp 12
199.60.13. icmp 14
As Russell mentioned Argus can be used to replace NetRaMet (I started
playing with the both of them at the same time and have settled on argus at
least for now). Again a perl script from ra data (both of these are still 1.8):
These happen to be our proxy, web and mail servers which tend to trade
the one and two position with an colocate host. If a user machine hits the
top 20 (and isn't one of the usual suspects) thats suspicious and more times
than not either a breakin or a warez/gnuella/napster server that needs a
detailed look. The list is sorted (reverse) by traffic. Then any unusual
port (i.e. ones not in a list as known services) gets broken out as source
address dest address dest port and data counts. After that the aggregate
service port counts are output (ra will find details if you need them).
You quickly notice odd changes in patterns (usually new machines popping up
because they have been broken in to) a sudden change in a machine profile
(either way) is suspicious. Ideally you would do a diff of this from a
collection of previous records to automatically flag large changes in
pattern. Your serious problem children (those doing a lot of traffic) will
leap out at you and flag that there is a problem convieniently sorted by
severity (aka the amount of damage they are doing). Some types of DDOS
attacks won't show high on this list. For them you need to be looking for
ECR flags in the ra output (until they smarten up and use something else to
control the zombies of course). This will show up in the size of argus file,
a large increase is a flag to look for ECRs and a DDOS attack (large volumes
of smallish packets which may not leap out of the traffic volume as well as
a warez site). Hopefully food for thought.
start time Tue 06/19 06:30:03 to Wed 06/20 06:30:00
Total traffic: 72,344,938,531 total src: 12,786,985,703 total dst: 59,557,952,82
8
142.58.101.24 total traffic: 5,815,036,749
128.121.241.93 142.58.101.24 64663 5,840 0
142.22.48.5 142.58.101.24 48 0
142.58.101.24 128.100.132.7 8765 6,099 57,388
142.58.101.24 128.100.160.7 5680 42,885 747,979
142.58.101.24 128.121.241.93 4826 0 1,948,677
...
64.180.0.8 142.58.101.24 548 22,211 23,106
113 0 0
123 37,968 35,728
137 102,620 0
21 4,394 29,077
443 4,208,996 37,037,196
80 289,713,540 4,659,854,930
8080 55,570,240 418,714,405
icmp 134,976 8,832
142.58.200.82 total traffic: 5,014,793,461
12.21.190.9 142.58.200.82 37852 18 0
134.174.7.3 142.58.200.82 unas 132 0
142.103.10.110 142.58.200.82 33459 18 0
142.103.10.110 142.58.200.82 33460 18 0
...
62.23.145.130 142.58.200.82 37852 18 0
123 149,688 74,368
137 195,654 0
21 0 0
443 198,897 2,291,820
80 284,433,966 4,722,304,553
icmp 589,440 219,456
142.58.120.21 total traffic: 2,972,193,094
12.21.190.9 142.58.120.21 37852 18 0
129.169.8.9 142.58.120.21 50868 0 0
...
65.165.139.131 142.58.120.21 261 0 0
110 5,622,444 842,123,665
113 140,004 418,457
123 115,528 25,760
137 24,012 0
143 7,980,945 7,635,267
22 3,386 17,941
25 2,037,401,286 54,200,424
53 4,664,931 1,514,511
80 0 0
icmp 2,740,544 65,536
On the other end of this file (in less convienient form however :-))
Port scans (such as this particularly inept one) show up:
63.217.26.43 total traffic: 0
63.217.26.43 142.58.21.255 11092 0 0
63.217.26.43 142.58.21.255 11604 0 0
63.217.26.43 142.58.21.255 13140 0 0
63.217.26.43 142.58.21.255 16212 0 0
63.217.26.43 142.58.21.255 16724 0 0
63.217.26.43 142.58.21.255 17748 0 0
63.217.26.43 142.58.21.255 21332 0 0
63.217.26.43 142.58.21.255 22868 0 0
63.217.26.43 142.58.21.255 24404 0 0
63.217.26.43 142.58.21.255 30548 0 0
63.217.26.43 142.58.21.255 31060 0 0
63.217.26.43 142.58.21.255 32084 0 0
63.217.26.43 142.58.21.255 32596 0 0
63.217.26.43 142.58.21.255 33620 0 0
63.217.26.43 142.58.21.255 3412 0 0
63.217.26.43 142.58.21.255 36692 0 0
63.217.26.43 142.58.21.255 40276 0 0
63.217.26.43 142.58.21.255 41812 0 0
63.217.26.43 142.58.21.255 45396 0 0
63.217.26.43 142.58.21.255 46420 0 0
63.217.26.43 142.58.21.255 49492 0 0
63.217.26.43 142.58.21.255 50004 0 0
63.217.26.43 142.58.21.255 51028 0 0
63.217.26.43 142.58.21.255 51540 0 0
63.217.26.43 142.58.21.255 53076 0 0
63.217.26.43 142.58.21.255 5460 0 0
63.217.26.43 142.58.21.255 56148 0 0
63.217.26.43 142.58.21.255 58196 0 0
63.217.26.43 142.58.21.255 59732 0 0
63.217.26.43 142.58.21.255 60756 0 0
63.217.26.43 142.58.21.255 6996 0 0
63.217.26.43 142.58.21.255 8532 0 0
More information about the argus
mailing list