Bug in Argus 2.0.3??, and possibly others (not reporting on some traffic)

Carter Bullard carter at qosient.com
Sun Oct 14 22:58:11 EDT 2001 

Hey Chris,
   The best thing to do is to capture all the packets
using tcpdump then run them through argus to see if there
really is a problem.  If so, send the packet file, and
I'll debug it.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Chris Newton
> Sent: Sunday, October 14, 2001 9:00 PM
> To: argus-info at lists.andrew.cmu.edu; carter
> Subject: Bug in Argus 2.0.3??, and possibly others (not 
> reporting on some traffic)
> 
> 
> Hey all,
> 
>   Unless I am doing something wrong here, I can't get Argus 
> to report on some 
> forms of traffic.
> 
>   Here is the setup.  Argus 2.0.3 monitoring a link.  A 
> university on one 
> side, the internet on the other.  From a machine on the 
> internet, I scan using 
> nmap, the IP range of a a very very quiet network (nothing 
> else really going 
> on on it)... (I have argus setup to report on flows every 30 seconds)
> 
>  Argus was started with:
> 
> /usr/local/bin/argus -P 561 -i eth0 -F 
> /usr/local/conf/argus.conf -S 30 -M 30
> 
> 
>   nmap -sT 131.202.97.0-255 (tcp connect scan), returns 
> something like:
> 
> [root at phantom bin]# ./ra -S localhost -n |grep 131.202.97
> ra: Trying localhost.localdomain port 561 Expecting Argus records
> ra: connected
> 
> 14 Oct 01 20:33:38   icmp    142.166.2.75        ->    131.202.97.250
> URN
> 14 Oct 01 20:33:38   icmp    142.166.2.75        ->    131.202.97.251
> URN
> 14 Oct 01 20:33:38   icmp    142.166.2.75        ->    131.202.97.252
> URN
> 14 Oct 01 20:33:38   icmp    142.166.2.75        ->    131.202.97.253
> URN
> 14 Oct 01 20:33:38   icmp    142.166.2.75        ->    131.202.97.254
> URN
> 14 Oct 01 20:33:38   icmp    142.166.2.75        ->    131.202.97.255
> ECO
> 14 Oct 01 20:33:38   icmp    142.166.2.75        ->    131.202.97.252
> URN
> 14 Oct 01 20:33:38   icmp    142.166.2.75        ->    131.202.97.254
> URN
> 14 Oct 01 20:33:38    tcp    142.166.2.75.1257   ->      
> 131.202.97.0.527
> TIM
> 14 Oct 01 20:33:38    tcp    142.166.2.75.1258   ->      
> 131.202.97.0.516
> TIM
> 14 Oct 01 20:33:38    tcp    142.166.2.75.1259   ->      
> 131.202.97.0.22273
> TIM
> 14 Oct 01 20:33:38    tcp    142.166.2.75.1260   ->      
> 131.202.97.0.1407
> TIM
> 14 Oct 01 20:33:38    tcp    142.166.2.75.1261   ->      
> 131.202.97.0.2602
> TIM
> 14 Oct 01 20:33:38    tcp    142.166.2.75.1262   ->      
> 131.202.97.0.31
> TIM
> 14 Oct 01 20:33:38    tcp    142.166.2.75.1263   ->      
> 131.202.97.0.736
> TIM
> 14 Oct 01 20:33:38    tcp    142.166.2.75.1264   ->      
> 131.202.97.0.3006
> TIM
> 14 Oct 01 20:33:38    tcp    142.166.2.75.1265   ->      
> 131.202.97.0.1365
> TIM
> 14 Oct 01 20:33:38    tcp    142.166.2.75.1266   ->      
> 131.202.97.0.439
> TIM
> 
> I clipped a bunch out of there...  but, you get the idea.  
> What you are seeing is a bunch of TCP from the attacker, 
> hitting targets on net 131.202.97.0.  You also see a bunch of 
> ICMP, unreachables for hosts that dont exist.  Pretty normal.
> 
> 
> Now...
> 
> nmap -sS (tcp syn scanning works as epected too...)
> 
> but
> 
> nmap -sF (FYN scanning) returns ONLY ICMP errors... never 
> does it print out any TCP errors.
> 
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.20
> URN
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.22
> ECO
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.23
> URN
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.25
> URN
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.27
> URN
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.28
> ECO
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.29
> URN
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.30
> URN
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.31
> URN
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.32
> ECO
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.33
> ECO
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.34
> URN
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.37
> URN
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.38
> URN
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.39
> URN
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.40
> URN
> 14 Oct 01 20:46:07   icmp    142.166.2.75        ->     131.202.97.41
> URN
> 
>  nmap pings the hosts to make sure they are up, before 
> scanning... so thats what you are seeing.. however, you never 
> see any TCP component of this.
> 
> On the screen where I am doing the scan from, I get:
> 
> [root at socrates ~]$ nmap -sX 131.202.97.0-255
> 
> Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
> All 1548 scanned ports on  (131.202.97.0) are: closed
> All 1548 scanned ports on  (131.202.97.1) are: closed
> All 1548 scanned ports on  (131.202.97.2) are: closed
> All 1548 scanned ports on  (131.202.97.3) are: closed
> All 1548 scanned ports on  (131.202.97.4) are: closed
> All 1548 scanned ports on  (131.202.97.5) are: closed
> All 1548 scanned ports on emills.biology.unb.ca 
> (131.202.97.6) are: closed All 1548 scanned ports on  
> (131.202.97.7) are: closed
> 
>   so, I know it is actually scanning...
> 
> When I tell nmap to not ping first,
> 
> nmap -P0 -sF 131.202.97.0-255
> 
>   I see _nothing_ at all.  Here is what I saw on both screen, 
> with the command
> above:
> 
> ra screen:
> [root at phantom bin]# ./ra -S localhost -n |grep 131.202.97
> ra: Trying localhost.localdomain port 561 Expecting Argus records
> ra: connected
> 14 Oct 01 20:48:24    tcp  131.202.97.135.3888   ->       
> 64.4.12.164.1863
> EST
> 14 Oct 01 20:48:47    tcp  131.202.97.135.3837   ->        
> 64.4.13.60.1863
> EST
> 14 Oct 01 20:48:54    tcp  131.202.97.135.3888   ->       
> 64.4.12.164.1863
> EST
> 14 Oct 01 20:49:12    udp    65.64.154.50.137    ->    
> 131.202.97.218.137
> INT
> 14 Oct 01 20:49:25    tcp  131.202.97.135.3837   ->        
> 64.4.13.60.1863
> EST
> 14 Oct 01 20:49:25    tcp  131.202.97.135.3923   ->       
> 64.4.12.171.1863
> EST
> 14 Oct 01 20:49:27    tcp  131.202.97.135.3888   ->       
> 64.4.12.164.1863
> EST
> 
> 
>   that traffic isnt from my attacker .. its just other normal traffic.
> 
> nmap screen:
>  [root at socrates ~]$ nmap -P0 -sF 131.202.97.0-255
> 
> Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
> All 1548 scanned ports on  (131.202.97.0) are: closed
> All 1548 scanned ports on  (131.202.97.1) are: closed
> All 1548 scanned ports on  (131.202.97.2) are: closed
> All 1548 scanned ports on  (131.202.97.3) are: closed
> All 1548 scanned ports on  (131.202.97.4) are: closed
> 
> 
> Scans that I can't see are:
> Fyn, Xmas, Null, Ack, Window scan (W)
> nmap speak (-sF, -sX, -sN, -sA, -sW)
> 
> Scans that I could see include:
> 
> RPC, TCP Connect, Syn, Ping, UDP 
> in nmap speak (-sR, -sT, -sS, -sP, -sU)
> 
> 
>   Any ideas?
> 
> Chris
> 
>

More information about the argus mailing list