Tool to find ssh attacks in argus logs

Russell Fulton r.fulton at auckland.ac.nz
Sun Nov 4 17:31:05 EST 2001 

Greetings All,
	     Here is a quick perl hack to scan archived argus[1] logs 
for evidence of ssh attacks.  The current attack that we have seen 
iterates an offset for the shell code and this script picks up the 
repeated attempts.  The script is quite specific to this attack and 
looks for ssh session within a quite narrow size range.

It has been tested by Peter Van Epp (thanks Peter!) on real data and  
picked up all know attacks that they had seen and outgoing attacks from 
machine on the network that had already been compromised.  Peter also 
modified the script to work with argus 1.8.x (see comments).

This is a first cut at this problem.  If I get time I will modify this 
(using stuff from my watcher scan detector script) to give real time 
notification on attacks.

[1]: Argus IP audit tool http://www.qosient.com

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

#!/usr/bin/perl

my %ipn;

$ENV{TZ} = 'UTC';


# Assumes version 2.0 ra -- remove A switch if running with 1.8.x data

if (! open(RA, "bin/ra -Ancr ".join(' ', @ARGV) .
                     " - tcp and dst port 22 |") ) {
        die "failed to open connection to server";
}

while(<RA>) {
  chomp;
  my ( $timestmp, $proto, $src,  $srcp, $sym, $dst,
       $dstp, $topkt, $fpkt, $tobytes, $fbytes, $status) =
	   unpack "A19x3A4a15xA6A3x2A16xA5xA8xA9xA12xA12a10", $_;
# From Peter Van Epp:
# If you are luditte like me and still running 1.8.1 comment out the 3 
lines
# above and uncomment the 5 lines below

#  my ( $timestmp, $flag, $proto, $src,  $srcp, $sym, $dst,
#       $dstp, $topkt, $fpkt, $tobytes, $fbytes, $status) =
#           unpack "A18xA3xA4xA15xA6A3xA15xA5xA6xA6x2A9xA9A3", $_;
#  $src =~ s/ //g;
#  $dst =~ s/ //g;

next unless ( $tobytes > 90000 and $tobytes < 110000 and
	      $fbytes > 300 and $fbytes < 400);

  if( ! exists $ipn{$src} ) {
      $ipn {$src} = {};
      $ipn {$src}->{COUNT} = 1;
      $ipn {$src}->{TOTAL} = 0;
      $ipn{$src}->{TIME} = $timestmp;
#print "$ipn{$src}->{TIME}\n";
      $ipn {$src}->{$dst} = 1;
  };
  if( ! exists $ipn{$src}->{$dst} ) {
      $ipn {$src}->{COUNT}++;
      $ipn {$src}->{$dst} = 1;
  } else {
      $ipn {$src}->{$dst}++;
  }
  $ipn {$src}->{TOTAL}++;
  $ipn{$src}->{LTIME} = $timestmp;

}
print scalar keys %ipn, "\n";

foreach my $ip (sort {$ipn{$b}->{TOTAL} <=> $ipn{$a}->{TOTAL}} keys 
%ipn ) { 
#   my $dn = gethostbyaddr(pack("C4",split(/\./,$ipn)),2) || '';
#    last if $ipn{$ip}->{TOTAL} == 1;
   print "$ip $ipn{$ip}->{TIME} -- $ipn{$ip}->{LTIME} # number of 
targets $ipn{$ip}->{COUNT} total sessions $ipn{$ip}->{TOTAL}\n" ;
}

More information about the argus mailing list