2nd beta release of my argus perl scripts...

Russell Fulton r.fulton at auckland.ac.nz
Wed Mar 14 15:37:41 EST 2001


On Wed, 14 Mar 2001 08:44:35 -0500 Carter Bullard <carter at qosient.com> 
wrote:

> Hey Russell,
>    This is great stuff!!!!  I'm going to do some 
> preliminary testing tomorrow, and a bunch of testing
> next week.

A couple of changes, sigh... I shipped the wrong version of 
Argus/Slowscan.pm  replacement appended.  I have also found a bug in 
the slowscan script itself which is trigged when you use the history 
option.  I have started summarising stuff in the history file as well 
as the reports to save memory with big scans.  It isnt quite working 
properly yet. If you don't save history between runs you should not get 
bitten by this one.   I'll try and get it fixed today.

I also found a fix for a bug in watcher did not work but it took 
several days of running to find out. 

at line 315 of the watcher script try replacing

    $duration = $time - $source->{Time} or 1; 

With

    $duration = $time - $source->{Time}; 
    $duration = 1 if $duration ==0;


I'm not sure why the former does not work (I tried enforcing 
precidents by () the arithmetic expression but still ocassionally
get $duration == 0 which caused a div by zero later when working out
the rate.   Very fast scans can cause this  $source->{Time} is the
time from the first argus record and $time is time().  This means that
it is less than a second from when argus server first saw the start of 
the scan to when it triggered the scan report.  I'm still not sure I 
believe it but it happens once every few days here.

> 
>    Are there any real problems that you've identified
> that you would like us to think about, in terms of
> say minimizing false positives, etc ......, detecting
> portmapper scanning requests, that kind of thing?
> 

No, I'm pretty happy with what argus gives me.  The next step in the 
developement of the scripts is to have differential weights to 
different events.

eg ECHO, and lone ACK = 1
   SYN = 2
   SYN/FIN and other illegal combinations = 5
and then raise the reporting threshold a bit.  This should get rid of 
some of the false positives.

Cheers, Russell.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

added definition for Maxlines.

-----------------------Argus/Slowscan.pm ----------------------
use Argus;

package Argus::SlowScan;   # config vars for particular scripts

use vars qw ( @Summary %Ignore $RA_Filter $Drop_int $NoGnuttela 
$NoNB_Name 
	      $Maxlines );

#
# If you don't need Summary or Ignore just delete their definition here
#

#@Summary = (
#	       'skitter\.',          # various cadia skitter probes
#	       '207\.114\.24\.98',    # WebChat.MD.US.Undernet.Org
#	       '130\.216\.1\.26',      # scream -- ftp server
#	       '130\.216\.191\.26',    # scream -- ftp server
#	       '130\.216\.1\.27',      # www.auckland.ac.nz 
#	       'msgr-ns.+\.hotmail.com', 
#		       );

# ignore these packets altogether
#my %Ignore = (
#	      '128.103.160.162', =>  '130.216.1.240',  # surveyor...
#	      '140.142.16.227', =>  '130.216.1.240',
#	      '205.189.33.70', =>  '130.216.1.240',
#	      );

# if you dont want udp remove it from the filter 

$RA_Filter = 'icmp or frag or udp or \(tcp and \(not est\) and \(not ' .
             '\(port 80 or port 113 or port 25 or port 53\)\)\)';

$Drop_int = 2;   # drop data after this many days with no traffic 

$NoGnuttela = 0;  # ignore gnutella traffic 
$NoNB_Name = 0;   # ignore netbios name traffic (udp -137)

$Maxlines = 256;  # print a summary if more than this many line in hour

##########################################################################

# Control the reporting thresholds:

my $Local_Times = 10;
my $Local_Dests1 = 100;
my $Local_Dests2 = 200;
my $Local_Dests3 = 500;

my $Rem_Times = 4;
my $Rem_Dests1 = 10;
my $Rem_Dests2 = 30;
my $Rem_Dests3 = 100;

sub report_this {
    my ($ip, $times, $count ) = @_;

    return ( $ip =~ /$Argus::Local_IP_re/o ) ?  # a local address
	(( $times >  $Local_Times and $count > $Local_Dests1 ) or
	 ( $times <= $Local_Times and $count > $Local_Dests2 ) or
	 $count > $Local_Dests3
	) 
	    : # else # outside
	(( $times >  $Rem_Times and $count > $Rem_Dests1 ) or
	 ( $times <= $Rem_Times and $count > $Rem_Dests2 ) or
	 $count > $Rem_Dests3
	) 
	    ;
}



More information about the argus mailing list