Bug in Argus 2.0.3??, and possibly others (not reporting on some traffic)
Chris Newton
newton at unb.ca
Sun Oct 14 20:59:53 EDT 2001
Hey all,
Unless I am doing something wrong here, I can't get Argus to report on some
forms of traffic.
Here is the setup. Argus 2.0.3 monitoring a link. A university on one
side, the internet on the other. From a machine on the internet, I scan using
nmap, the IP range of a a very very quiet network (nothing else really going
on on it)... (I have argus setup to report on flows every 30 seconds)
Argus was started with:
/usr/local/bin/argus -P 561 -i eth0 -F /usr/local/conf/argus.conf -S 30 -M 30
nmap -sT 131.202.97.0-255 (tcp connect scan), returns something like:
[root at phantom bin]# ./ra -S localhost -n |grep 131.202.97
ra: Trying localhost.localdomain port 561 Expecting Argus records
ra: connected
14 Oct 01 20:33:38 icmp 142.166.2.75 -> 131.202.97.250
URN
14 Oct 01 20:33:38 icmp 142.166.2.75 -> 131.202.97.251
URN
14 Oct 01 20:33:38 icmp 142.166.2.75 -> 131.202.97.252
URN
14 Oct 01 20:33:38 icmp 142.166.2.75 -> 131.202.97.253
URN
14 Oct 01 20:33:38 icmp 142.166.2.75 -> 131.202.97.254
URN
14 Oct 01 20:33:38 icmp 142.166.2.75 -> 131.202.97.255
ECO
14 Oct 01 20:33:38 icmp 142.166.2.75 -> 131.202.97.252
URN
14 Oct 01 20:33:38 icmp 142.166.2.75 -> 131.202.97.254
URN
14 Oct 01 20:33:38 tcp 142.166.2.75.1257 -> 131.202.97.0.527
TIM
14 Oct 01 20:33:38 tcp 142.166.2.75.1258 -> 131.202.97.0.516
TIM
14 Oct 01 20:33:38 tcp 142.166.2.75.1259 -> 131.202.97.0.22273
TIM
14 Oct 01 20:33:38 tcp 142.166.2.75.1260 -> 131.202.97.0.1407
TIM
14 Oct 01 20:33:38 tcp 142.166.2.75.1261 -> 131.202.97.0.2602
TIM
14 Oct 01 20:33:38 tcp 142.166.2.75.1262 -> 131.202.97.0.31
TIM
14 Oct 01 20:33:38 tcp 142.166.2.75.1263 -> 131.202.97.0.736
TIM
14 Oct 01 20:33:38 tcp 142.166.2.75.1264 -> 131.202.97.0.3006
TIM
14 Oct 01 20:33:38 tcp 142.166.2.75.1265 -> 131.202.97.0.1365
TIM
14 Oct 01 20:33:38 tcp 142.166.2.75.1266 -> 131.202.97.0.439
TIM
I clipped a bunch out of there... but, you get the idea. What you are seeing
is a bunch of TCP from the attacker, hitting targets on net 131.202.97.0. You
also see a bunch of ICMP, unreachables for hosts that dont exist. Pretty
normal.
Now...
nmap -sS (tcp syn scanning works as epected too...)
but
nmap -sF (FYN scanning) returns ONLY ICMP errors... never does it print out
any TCP errors.
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.20
URN
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.22
ECO
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.23
URN
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.25
URN
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.27
URN
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.28
ECO
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.29
URN
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.30
URN
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.31
URN
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.32
ECO
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.33
ECO
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.34
URN
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.37
URN
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.38
URN
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.39
URN
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.40
URN
14 Oct 01 20:46:07 icmp 142.166.2.75 -> 131.202.97.41
URN
nmap pings the hosts to make sure they are up, before scanning... so thats
what you are seeing.. however, you never see any TCP component of this.
On the screen where I am doing the scan from, I get:
[root at socrates ~]$ nmap -sX 131.202.97.0-255
Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
All 1548 scanned ports on (131.202.97.0) are: closed
All 1548 scanned ports on (131.202.97.1) are: closed
All 1548 scanned ports on (131.202.97.2) are: closed
All 1548 scanned ports on (131.202.97.3) are: closed
All 1548 scanned ports on (131.202.97.4) are: closed
All 1548 scanned ports on (131.202.97.5) are: closed
All 1548 scanned ports on emills.biology.unb.ca (131.202.97.6) are: closed
All 1548 scanned ports on (131.202.97.7) are: closed
so, I know it is actually scanning...
When I tell nmap to not ping first,
nmap -P0 -sF 131.202.97.0-255
I see _nothing_ at all. Here is what I saw on both screen, with the command
above:
ra screen:
[root at phantom bin]# ./ra -S localhost -n |grep 131.202.97
ra: Trying localhost.localdomain port 561 Expecting Argus records
ra: connected
14 Oct 01 20:48:24 tcp 131.202.97.135.3888 -> 64.4.12.164.1863
EST
14 Oct 01 20:48:47 tcp 131.202.97.135.3837 -> 64.4.13.60.1863
EST
14 Oct 01 20:48:54 tcp 131.202.97.135.3888 -> 64.4.12.164.1863
EST
14 Oct 01 20:49:12 udp 65.64.154.50.137 -> 131.202.97.218.137
INT
14 Oct 01 20:49:25 tcp 131.202.97.135.3837 -> 64.4.13.60.1863
EST
14 Oct 01 20:49:25 tcp 131.202.97.135.3923 -> 64.4.12.171.1863
EST
14 Oct 01 20:49:27 tcp 131.202.97.135.3888 -> 64.4.12.164.1863
EST
that traffic isnt from my attacker .. its just other normal traffic.
nmap screen:
[root at socrates ~]$ nmap -P0 -sF 131.202.97.0-255
Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
All 1548 scanned ports on (131.202.97.0) are: closed
All 1548 scanned ports on (131.202.97.1) are: closed
All 1548 scanned ports on (131.202.97.2) are: closed
All 1548 scanned ports on (131.202.97.3) are: closed
All 1548 scanned ports on (131.202.97.4) are: closed
Scans that I can't see are:
Fyn, Xmas, Null, Ack, Window scan (W)
nmap speak (-sF, -sX, -sN, -sA, -sW)
Scans that I could see include:
RPC, TCP Connect, Syn, Ping, UDP
in nmap speak (-sR, -sT, -sS, -sP, -sU)
Any ideas?
Chris
More information about the argus
mailing list