Tool to find ssh attacks in argus logs

Mon Nov 5 15:23:59 EST 2001

Hey Russell,
   Thanks a great deal!  Do you want me to add this
to the contrib section of argus-2.0.4?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Russell Fulton
> Sent: Sunday, November 04, 2001 5:31 PM
> To: unisog at sans.org; argus-info at lists.andrew.cmu.edu
> Subject: Tool to find ssh attacks in argus logs
> 
> 
> Greetings All,
> 	     Here is a quick perl hack to scan archived argus[1] logs 
> for evidence of ssh attacks.  The current attack that we have seen 
> iterates an offset for the shell code and this script picks up the 
> repeated attempts.  The script is quite specific to this attack and 
> looks for ssh session within a quite narrow size range.
> 
> It has been tested by Peter Van Epp (thanks Peter!) on real data and  
> picked up all know attacks that they had seen and outgoing 
> attacks from 
> machine on the network that had already been compromised.  Peter also 
> modified the script to work with argus 1.8.x (see comments).
> 
> This is a first cut at this problem.  If I get time I will 
> modify this 
> (using stuff from my watcher scan detector script) to give real time 
> notification on attacks.
> 
> [1]: Argus IP audit tool http://www.qosient.com
> 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> #!/usr/bin/perl
> 
> my %ipn;
> 
> $ENV{TZ} = 'UTC';
> 
> 
> # Assumes version 2.0 ra -- remove A switch if running with 1.8.x data
> 
> if (! open(RA, "bin/ra -Ancr ".join(' ', @ARGV) .
>                      " - tcp and dst port 22 |") ) {
>         die "failed to open connection to server";
> }
> 
> while(<RA>) {
>   chomp;
>   my ( $timestmp, $proto, $src,  $srcp, $sym, $dst,
>        $dstp, $topkt, $fpkt, $tobytes, $fbytes, $status) =
> 	   unpack "A19x3A4a15xA6A3x2A16xA5xA8xA9xA12xA12a10", $_;
> # From Peter Van Epp:
> # If you are luditte like me and still running 1.8.1 comment 
> out the 3 
> lines
> # above and uncomment the 5 lines below
> 
> #  my ( $timestmp, $flag, $proto, $src,  $srcp, $sym, $dst,
> #       $dstp, $topkt, $fpkt, $tobytes, $fbytes, $status) =
> #           unpack "A18xA3xA4xA15xA6A3xA15xA5xA6xA6x2A9xA9A3", $_;
> #  $src =~ s/ //g;
> #  $dst =~ s/ //g;
> 
> next unless ( $tobytes > 90000 and $tobytes < 110000 and
> 	      $fbytes > 300 and $fbytes < 400);
> 
>   if( ! exists $ipn{$src} ) {
>       $ipn {$src} = {};
>       $ipn {$src}->{COUNT} = 1;
>       $ipn {$src}->{TOTAL} = 0;
>       $ipn{$src}->{TIME} = $timestmp;
> #print "$ipn{$src}->{TIME}\n";
>       $ipn {$src}->{$dst} = 1;
>   };
>   if( ! exists $ipn{$src}->{$dst} ) {
>       $ipn {$src}->{COUNT}++;
>       $ipn {$src}->{$dst} = 1;
>   } else {
>       $ipn {$src}->{$dst}++;
>   }
>   $ipn {$src}->{TOTAL}++;
>   $ipn{$src}->{LTIME} = $timestmp;
> 
> }
> print scalar keys %ipn, "\n";
> 
> foreach my $ip (sort {$ipn{$b}->{TOTAL} <=> $ipn{$a}->{TOTAL}} keys 
> %ipn ) { 
> #   my $dn = gethostbyaddr(pack("C4",split(/\./,$ipn)),2) || '';
> #    last if $ipn{$ip}->{TOTAL} == 1;
>    print "$ip $ipn{$ip}->{TIME} -- $ipn{$ip}->{LTIME} # number of 
> targets $ipn{$ip}->{COUNT} total sessions $ipn{$ip}->{TOTAL}\n" ; }
> 
> 
> 
> 
> 