Ok, really, the last one.....ragator question

[Carter Bullard]

Hey Wozz,
   The issue is the '?' in the direction indicator.
Because argus is absolutely stateful, and it is saying
that it doesn't know precisely who the source or the
destination is (because it didn't see a SYN or a SYN_ACK
before it saw the FIN).  With the '?' its saying that
the src and dst assignments may not be reliable.

   What probably happened is that argus timed the original
flow out, before the stray FIN came in, and because there
is no flow cache, it treats the lone FIN without any
context.

   There is a solution.  First pass your traffic through
ragator with no configuration.  It will correct the '?'.
If there was a flow that this FIN belongs to, and it gets
loaded into ragator before the FIN record is loaded, then
it will discover the correct direction and merge the FIN
report into the parent flow.

   If there was no original flow, then this may be a
security issue, since many scans work by sending FIN's
to unknown ports and watching what comes back.

   With regard to your original configuration, you should
only need one line in your configuration. Unless you
expect b to originate TCP connections to a's port 25,
which would seem unlikely.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Wozz
> Sent: Wednesday, November 14, 2001 6:36 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Ok, really, the last one.....ragator question
> 
> 
> Just want to make sure I'm clear, because I'm concerned about 
> missing out on some bad traffic through misunderstanding how 
> the aggregation works.  If I want to completely mask out a 
> particular flow (lets say smtp traffic between a and b) the 
> flowfile entry would look something like this (i thought)
> 
> Flow	100	a	b	tcp	*	25	101	604800
> Flow	101	b	a	tcp	*	25	101	604800
> 
> Model	101	0.0.0.0	0.0.0.0	no	no	no
> 
> What I'm ending up with in my ragator output however is:
> 
> 13 Nov 01 11:37:22    tcp   b.25   ?>   a.1345 FIN
> 13 Nov 01 13:08:22    tcp   b.25   ?>   a.3665 FIN
> 
> Its seeing the FIN and getting confused about the direction 
> of the connection (or perhaps thats the intended behavior and 
> I'm the one thats confused).  In order to totally remove this 
> flow from my ragator output, I have to add the following flows
> 
> Flow	102	a	b	tcp	25	*	101	604800
> Flow	103	b	a	tcp	25	*	101	604800
> 
> Now, perhaps this is the intended behavior, since argus isn't 
> truely stateful, but my concern here is that someone can 
> spoof some packets from port 25 and slip under my argus 
> radar.  Sure, it would probably be caught elsewhere on my 
> other radars ;), but I'm a big fan of defense in depth, so 
> I'd like to avoid missing out on stuff if at all possible.  
> Have I made any sense?  Is argus at all stateful? Is there no 
> other solution other than putting all 4 flow statements in 
> there to filter out a connection?  Is there a command line 
> switch that could change this behavior that I'm missing?  I 
> promise, I'll stop the emails after this one ;)
> 
> 
>