Bug in Argus 2.0.3??, and possibly others (not reporting on some traffic)

Chris Newton newton at unb.ca
Sun Oct 14 23:28:24 EDT 2001 

Ok, I'm way confused...  I get out that I would expect.  How could that 
happen?  I tracerouted the connection from the remote one to campus network, 
it does certainly go past where argus is monitoring.

  I even ran this with the same command line options that I have the server 
running as:

/usr/local/argus-2.0.3/bin/argus_linux -S 30 -M 30 -F 
/usr/local/conf/argus.conf -r test23 -w - | /usr/local/argus-2.0.3/bin/ra 
|more



15 Oct 01 00:15:52    man version=2.0     probeid=phantom.csd.unb
           STA
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.929          RST
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.811          RST
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.410          RST
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.1016         RST
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.260          RST
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.7010         RST
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.775          RST
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.316          RST
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.230          RST
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.150          RST
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.1472         RST
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.428          RST
14 Oct 01 23:51:02    tcp socrates.whitel.57102         ?>     
131.202.160.2.575          RST


>===== Original Message From <carter at qosient.com> =====
>So what happens when you:
>
>   argus -r packet.file -w - | ra
>
>Carter
>
>Carter Bullard
>QoSient, LLC
>300 E. 56th Street, Suite 18K
>New York, New York  10022
>
>carter at qosient.com
>Phone +1 212 588-9133
>Fax   +1 212 588-9134
>http://qosient.com
>
>> -----Original Message-----
>> From: owner-argus-info at lists.andrew.cmu.edu
>> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
>> Chris Newton
>> Sent: Sunday, October 14, 2001 11:02 PM
>> To: argus; Peter Van Epp
>> Subject: RE: Bug in Argus 2.0.3??, and possibly others (not
>> reporting on some traffic)
>>
>>
>> Here are a Xmas scan, and a Fyn scan.  Obviously, text isn't
>> the best manner
>> to relay the tcpdump files,.. but I thought I post this for now.
>>
>>
>>   Here is what tcpdump saw, on the attacking machine, when
>> doing a -sF (FYN
>> scan):
>>
>> [root at socrates ~]$ /usr/sbin/tcpdump -r test |more
>> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.2016: F
>> 0:0(0) win 2048
>> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.1511: F
>> 0:0(0) win 2048
>> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.cmip-agent: F 0:0(0) win 2048
>> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.349: F
>> 0:0(0) win 2048
>> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.omirr: F
>> 0:0(0) win 2048
>> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.414: F
>> 0:0(0) win 2048
>> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.1526: F
>> 0:0(0) win 2048
>> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.1533: F
>> 0:0(0) win 2048
>> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.285: F
>> 0:0(0) win 2048
>> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.594: F
>> 0:0(0) win 2048
>> 23:45:01.092961 eth0 < 131.202.160.2.2016 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.092961 eth0 < 131.202.160.2.1511 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.092961 eth0 < 131.202.160.2.cmip-agent >
>> socrates.whitelight.ca.43634: R 0:0(0) ack 1 win 2048
>> 23:45:01.092961 eth0 < 131.202.160.2.349 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.092961 eth0 < 131.202.160.2.omirr >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.102961 eth0 < 131.202.160.2.414 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.102961 eth0 < 131.202.160.2.1526 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.102961 eth0 < 131.202.160.2.1533 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.102961 eth0 < 131.202.160.2.285 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.102961 eth0 < 131.202.160.2.594 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.5300: F
>> 0:0(0) win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.phonebook:
>> F 0:0(0) win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.711: F
>> 0:0(0) win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.795: F
>> 0:0(0) win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.936: F
>> 0:0(0) win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.886: F
>> 0:0(0) win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.165: F
>> 0:0(0) win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.402: F
>> 0:0(0) win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.181: F
>> 0:0(0) win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.1401: F
>> 0:0(0) win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.1385: F
>> 0:0(0) win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.570: F
>> 0:0(0) win 2048
>> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.183: F
>> 0:0(0) win 2048
>> 23:45:01.112961 eth0 < 131.202.160.2.5300 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.122961 eth0 < 131.202.160.2.phonebook >
>> socrates.whitelight.ca.43634:
>> R 0:0(0) ack 1 win 2048
>> 23:45:01.122961 eth0 < 131.202.160.2.711 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.122961 eth0 < 131.202.160.2.795 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.122961 eth0 < 131.202.160.2.936 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.122961 eth0 < 131.202.160.2.886 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.132961 eth0 < 131.202.160.2.165 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.132961 eth0 < 131.202.160.2.402 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.132961 eth0 < 131.202.160.2.181 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.132961 eth0 < 131.202.160.2.1401 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.132961 eth0 < 131.202.160.2.1385 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.132961 eth0 < 131.202.160.2.570 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.132961 eth0 < 131.202.160.2.183 >
>> socrates.whitelight.ca.43634: R
>> 0:0(0) ack 1 win 2048
>> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.987: F
>> 0:0(0) win 2048
>> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.8009: F
>> 0:0(0) win 2048
>> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.981: F
>> 0:0(0) win 2048
>> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.ldaps: F
>> 0:0(0) win 2048
>> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.305: F
>> 0:0(0) win 2048
>> 23:45:01.142961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.856: F
>> 0:0(0) win 2048
>> 23:45:01.142961 eth0 > socrates.whitelight.ca.43634 >
>> 131.202.160.2.294: F
>> 0:0(0) win 2048
>> .... clipped
>>
>>
>> here is stuff from a -sX (christmas tree scan (all flags):
>>
>> [root at socrates ~]$ /usr/sbin/tcpdump -r test | more
>> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.daytime:
>> FP 0:0(0) win 3072 urg 0
>> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.1453: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.198: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.642: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.6142: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.at-rtmp:
>> FP 0:0(0) win 3072 urg 0
>> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.147: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.1487: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.1446: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.745: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.812961 eth0 < 131.202.160.2.daytime >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.822961 eth0 < 131.202.160.2.1453 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.822961 eth0 < 131.202.160.2.198 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.822961 eth0 < 131.202.160.2.642 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.822961 eth0 < 131.202.160.2.6142 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.822961 eth0 < 131.202.160.2.at-rtmp >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.822961 eth0 < 131.202.160.2.147 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.832961 eth0 < 131.202.160.2.1487 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.832961 eth0 < 131.202.160.2.1446 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.832961 eth0 < 131.202.160.2.745 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.386: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.598: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.https: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.451: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.364: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.338: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.490: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.447: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.221: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.907: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.299: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.mobileip-agent: FP 0:0(0) win 3072 urg 0
>> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> 131.202.160.2.255: FP
>> 0:0(0) win 3072 urg 0
>> 23:50:59.842961 eth0 < 131.202.160.2.386 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.842961 eth0 < 131.202.160.2.598 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.852961 eth0 < 131.202.160.2.https >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.852961 eth0 < 131.202.160.2.451 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.852961 eth0 < 131.202.160.2.364 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.852961 eth0 < 131.202.160.2.338 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.852961 eth0 < 131.202.160.2.490 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.852961 eth0 < 131.202.160.2.447 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.852961 eth0 < 131.202.160.2.221 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.862961 eth0 < 131.202.160.2.907 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.862961 eth0 < 131.202.160.2.299 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>> 23:50:59.862961 eth0 < 131.202.160.2.mobileip-agent >
>> socrates.whitelight.ca.57102: R 0:0(0) ack 1 win 3072
>> 23:50:59.862961 eth0 < 131.202.160.2.255 >
>> socrates.whitelight.ca.57102: R
>> 0:0(0) ack 1 win 3072
>>
>>
>>
>>
>> >===== Original Message From Peter Van Epp <vanepp at sfu.ca>
>> ===== <snip>
>> >>
>> >> Scans that I could see include:
>> >>
>> >> RPC, TCP Connect, Syn, Ping, UDP
>> >> in nmap speak (-sR, -sT, -sS, -sP, -sU)
>> >>
>> >>
>> >>   Any ideas?
>> >>
>> >> Chris
>> >>
>> >>
>> >	A tcpdump of the nmap scan to see what packets argus is
>> seeing would
>> >be my first suggestion (that would also let Carter reproduce the
>> >problem). If I get time I'll try and reproduce this.
>> >
>> >Peter Van Epp / Operations and Technical Support
>> >Simon Fraser University, Burnaby, B.C. Canada
>>
>>

More information about the argus mailing list