Bug in Argus 2.0.3??, and possibly others (not reporting on some traffic)
Chris Newton
newton at unb.ca
Mon Oct 15 07:57:19 EDT 2001
I hear ya there. Though, we only have one connection to the internet, and the
other scans do show up. Later today I will try and get some information for
you. What you need me to do is run a tcpdump on the same machine as Argus,
right?
Chris
>===== Original Message From <carter at qosient.com> =====
>Well, there could still be a bug. The only way to catch
>it, is to be capturing packets while argus is producing
>the unexpected results, and then demonstrate that the
>captured packet file contains the actual data expected.
>This is the only way that we can be sure that the argus
>is mishandling packets, rather than the network pushing
>the packets somewhere unexpected.
>
>Carter
>
>Carter Bullard
>QoSient, LLC
>300 E. 56th Street, Suite 18K
>New York, New York 10022
>
>carter at qosient.com
>Phone +1 212 588-9133
>Fax +1 212 588-9134
>http://qosient.com
>
>> -----Original Message-----
>> From: Chris Newton [mailto:newton at unb.ca]
>> Sent: Sunday, October 14, 2001 11:28 PM
>> To: carter at qosient.com; argus; Peter Van Epp
>> Subject: RE: Bug in Argus 2.0.3??, and possibly others (not
>> reporting on some traffic)
>>
>>
>> Ok, I'm way confused... I get out that I would expect. How
>> could that
>> happen? I tracerouted the connection from the remote one to
>> campus network,
>> it does certainly go past where argus is monitoring.
>>
>> I even ran this with the same command line options that I
>> have the server
>> running as:
>>
>> /usr/local/argus-2.0.3/bin/argus_linux -S 30 -M 30 -F
>> /usr/local/conf/argus.conf -r test23 -w - |
>> /usr/local/argus-2.0.3/bin/ra
>> |more
>>
>>
>>
>> 15 Oct 01 00:15:52 man version=2.0 probeid=phantom.csd.unb
>> STA
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.929 RST
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.811 RST
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.410 RST
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.1016 RST
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.260 RST
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.7010 RST
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.775 RST
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.316 RST
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.230 RST
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.150 RST
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.1472 RST
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.428 RST
>> 14 Oct 01 23:51:02 tcp socrates.whitel.57102 ?>
>> 131.202.160.2.575 RST
>>
>>
>> >===== Original Message From <carter at qosient.com> =====
>> >So what happens when you:
>> >
>> > argus -r packet.file -w - | ra
>> >
>> >Carter
>> >
>> >Carter Bullard
>> >QoSient, LLC
>> >300 E. 56th Street, Suite 18K
>> >New York, New York 10022
>> >
>> >carter at qosient.com
>> >Phone +1 212 588-9133
>> >Fax +1 212 588-9134
>> >http://qosient.com
>> >
>> >> -----Original Message-----
>> >> From: owner-argus-info at lists.andrew.cmu.edu
>> >> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Chris
>> >> Newton
>> >> Sent: Sunday, October 14, 2001 11:02 PM
>> >> To: argus; Peter Van Epp
>> >> Subject: RE: Bug in Argus 2.0.3??, and possibly others
>> (not reporting
>> >> on some traffic)
>> >>
>> >>
>> >> Here are a Xmas scan, and a Fyn scan. Obviously, text
>> isn't the best
>> >> manner to relay the tcpdump files,.. but I thought I post this for
>> >> now.
>> >>
>> >>
>> >> Here is what tcpdump saw, on the attacking machine, when doing a
>> >> -sF (FYN
>> >> scan):
>> >>
>> >> [root at socrates ~]$ /usr/sbin/tcpdump -r test |more 23:45:01.082961
>> >> eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.2016: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.1511: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.cmip-agent: F 0:0(0) win 2048
>> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.349: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.omirr: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.414: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.1526: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.1533: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.285: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.082961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.594: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.092961 eth0 < 131.202.160.2.2016 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.092961 eth0 < 131.202.160.2.1511 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.092961 eth0 < 131.202.160.2.cmip-agent >
>> >> socrates.whitelight.ca.43634: R 0:0(0) ack 1 win 2048
>> 23:45:01.092961
>> >> eth0 < 131.202.160.2.349 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.092961 eth0 < 131.202.160.2.omirr >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.102961 eth0 < 131.202.160.2.414 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.102961 eth0 < 131.202.160.2.1526 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.102961 eth0 < 131.202.160.2.1533 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.102961 eth0 < 131.202.160.2.285 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.102961 eth0 < 131.202.160.2.594 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.5300: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.phonebook:
>> >> F 0:0(0) win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.711: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.795: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.936: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.886: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.165: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.402: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.181: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.1401: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.1385: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.570: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.102961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.183: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.112961 eth0 < 131.202.160.2.5300 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.122961 eth0 < 131.202.160.2.phonebook >
>> >> socrates.whitelight.ca.43634:
>> >> R 0:0(0) ack 1 win 2048
>> >> 23:45:01.122961 eth0 < 131.202.160.2.711 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.122961 eth0 < 131.202.160.2.795 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.122961 eth0 < 131.202.160.2.936 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.122961 eth0 < 131.202.160.2.886 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.132961 eth0 < 131.202.160.2.165 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.132961 eth0 < 131.202.160.2.402 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.132961 eth0 < 131.202.160.2.181 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.132961 eth0 < 131.202.160.2.1401 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.132961 eth0 < 131.202.160.2.1385 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.132961 eth0 < 131.202.160.2.570 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.132961 eth0 < 131.202.160.2.183 >
>> >> socrates.whitelight.ca.43634: R
>> >> 0:0(0) ack 1 win 2048
>> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.987: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.8009: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.981: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.ldaps: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.132961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.305: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.142961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.856: F
>> >> 0:0(0) win 2048
>> >> 23:45:01.142961 eth0 > socrates.whitelight.ca.43634 >
>> >> 131.202.160.2.294: F
>> >> 0:0(0) win 2048
>> >> .... clipped
>> >>
>> >>
>> >> here is stuff from a -sX (christmas tree scan (all flags):
>> >>
>> >> [root at socrates ~]$ /usr/sbin/tcpdump -r test | more
>> 23:50:59.802961
>> >> eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.daytime:
>> >> FP 0:0(0) win 3072 urg 0
>> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.1453: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.198: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.642: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.6142: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.at-rtmp:
>> >> FP 0:0(0) win 3072 urg 0
>> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.147: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.1487: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.1446: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.802961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.745: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.812961 eth0 < 131.202.160.2.daytime >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.822961 eth0 < 131.202.160.2.1453 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.822961 eth0 < 131.202.160.2.198 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.822961 eth0 < 131.202.160.2.642 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.822961 eth0 < 131.202.160.2.6142 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.822961 eth0 < 131.202.160.2.at-rtmp >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.822961 eth0 < 131.202.160.2.147 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.832961 eth0 < 131.202.160.2.1487 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.832961 eth0 < 131.202.160.2.1446 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.832961 eth0 < 131.202.160.2.745 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.386: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.598: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.https: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.451: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.364: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.338: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.490: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.447: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.221: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.907: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.299: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.mobileip-agent: FP 0:0(0) win 3072 urg 0
>> >> 23:50:59.832961 eth0 > socrates.whitelight.ca.57102 >
>> >> 131.202.160.2.255: FP
>> >> 0:0(0) win 3072 urg 0
>> >> 23:50:59.842961 eth0 < 131.202.160.2.386 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.842961 eth0 < 131.202.160.2.598 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.852961 eth0 < 131.202.160.2.https >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.852961 eth0 < 131.202.160.2.451 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.852961 eth0 < 131.202.160.2.364 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.852961 eth0 < 131.202.160.2.338 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.852961 eth0 < 131.202.160.2.490 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.852961 eth0 < 131.202.160.2.447 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.852961 eth0 < 131.202.160.2.221 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.862961 eth0 < 131.202.160.2.907 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.862961 eth0 < 131.202.160.2.299 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >> 23:50:59.862961 eth0 < 131.202.160.2.mobileip-agent >
>> >> socrates.whitelight.ca.57102: R 0:0(0) ack 1 win 3072
>> 23:50:59.862961
>> >> eth0 < 131.202.160.2.255 >
>> >> socrates.whitelight.ca.57102: R
>> >> 0:0(0) ack 1 win 3072
>> >>
>> >>
>> >>
>> >>
>> >> >===== Original Message From Peter Van Epp <vanepp at sfu.ca>
>> >> ===== <snip>
>> >> >>
>> >> >> Scans that I could see include:
>> >> >>
>> >> >> RPC, TCP Connect, Syn, Ping, UDP
>> >> >> in nmap speak (-sR, -sT, -sS, -sP, -sU)
>> >> >>
>> >> >>
>> >> >> Any ideas?
>> >> >>
>> >> >> Chris
>> >> >>
>> >> >>
>> >> > A tcpdump of the nmap scan to see what packets argus is
>> >> seeing would
>> >> >be my first suggestion (that would also let Carter reproduce the
>> >> >problem). If I get time I'll try and reproduce this.
>> >> >
>> >> >Peter Van Epp / Operations and Technical Support
>> >> >Simon Fraser University, Burnaby, B.C. Canada
>> >>
>> >>
>>
>>
More information about the argus
mailing list