'known flows' configuration file

Mark Poepping poepping at cmu.edu
Thu Feb 14 11:40:23 EST 2002 

So can you use ragator to do the 'display everything *but* flows of
these types'?  I used to do that all the time, to discover new services
popping up in the intranet, but that was before the days of ragator (I
need to go read all these manpages again:-).  This notion is close to
the 'in-profile' (signature) ideas, and I admit I haven't thought about
it a lot, but is there thought to having ragator (or something else)
specify 'ranges' for almost (if not) all of the argus attributes, and
then be able to see things that are in or out of that 'profile'?

For instance, I might want to flag:
 . any rtp streams that had dropped packets
 . smtp transactions that lasted longer than 1-2 seconds
 . http transactions over 1MB
 . aggregate 2-packet RST kazaa (filed request) transactions separately
 . a billion other things..

I must say too that many of us approach the processing from a
programmatic (perl) mindset, though ragator can actually do much of this
stuff really easily and quickly..  But man, that bugger is a head-banger
for me - those indirect flow-filter proto's just don't fly off the
fingers like those associative arrays do:-)..

Mark.


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus-
> info at lists.andrew.cmu.edu] On Behalf Of Carter Bullard
> Sent: Thursday, February 14, 2002 10:38 AM
> To: 'Yann Berthier'; argus-info at lists.andrew.cmu.edu
> Subject: RE: 'known flows' configuration file
> 
> Hey Yann,
>    Thanks for the mail and your support of argus!
> ragator() is capable of doing a part of what you
> are interested in, and with only some minor adjustments,
> it should be able to do all of it, or at least what
> I understand from your mail.
> 
>    ragator() can be configured to pass through
> traffic of interest, and to aggregate all other
> traffic into a single 'catch all' record.  You can
> either filter out the catch all record on output, or
> you can leave it in the stream.  Here is how I would
> implement your example:
> 
> fmodel.conf:
> #
> #    id   SrcCIDRAddr      DstCIDRAddr Proto SPort DPort ModelList
> Duration
> Flow 100  $INTERNAL_NET    $SMTP_DMZ    tcp   *    25    200        0
> Flow 101  *                *            icmp  echo *     200        0
> Flow 102  *                *            *     *    *     201        60
> #
> #     id  SrcAddrMask     DstAddrMask      Proto  SrcPort  DstPort
> Model 200 255.255.255.255 255.255.255.255  yes    yes      yes
> Model 201 0.0.0.0         0.0.0.0          no     no       no
> 
> 
> And then run ragator as:
>    ragator -f fmodel.conf -r argusfile -w outputfile
> 
> This will give you only the two flow types you are interested in.
> All the other traffic will be aggregated into a common flow that
> is generated every 60 seconds.  Because ragator() is designed to
> account for everything on the input (i.e. it won't throw anything
> away), we may need to add a Model type that allows you to toss
> a record, if you don't want to see the "catch all" record on output.
> 
> You could hold the records of interest a little longer than 0
> seconds, and get some output management for free.  This
> should get you what you we are interested in.
> 
> Hope you find this is helpful!  Don't hesitate to send mail
> at anytime!
> 
> Carter
> 
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street, Suite 18K
> New York, New York  10022
> 
> carter at qosient.com
> Phone +1 212 588-9133
> Fax   +1 212 588-9134
> http://qosient.com
> 
> 
> 
> 
> 
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> > Yann Berthier
> > Sent: Thursday, February 14, 2002 3:48 AM
> > To: argus-info at lists.andrew.cmu.edu
> > Subject: 'known flows' configuration file
> >
> >
> >
> >    Hi list !
> >
> >    I discovered Argus recently while searching tools to help to
> >    highlight anomalies in a network trace: signs of an intrusion,
> >    troyans, and so on, and I am very enthusiastic about it !
> >
> >    So, back to my subject: wouldn't it be helpful to have
> > argus able to
> >    display (well, ra*) only defined flows ? Something like:
> >
> >      tcp $INTERNAL_NET.any -> $SMTP_DMZ.25
> >      icmp any -> any ECO
> >
> >    One can imagine a configuration file listing flows, and a
> > flag to ra*
> >    to display or not flows matching this file : after all, it could
be
> >    interesting as well to have the number of packets / bytes
exchanged
> >    between the defined networks / flows - but of course the notion
of
> >    state of the connection is meaningless here.
> >
> >    I don't know if all of this make sense, just wanted to ask the
list
> >    to know ... :) anyway, the idea is not to transform argus
> > in a nids,
> >    but it could be handy to have argus displaying only non
> > known flows,
> >    perhaps at least for the guy trying to enumarate the flows on its
> >    network to be able to partition it on a second round.
> >
> >    ok, of course the bpf like filters are here for that, but
> > it can be a
> >    bit tedious if you have multiple networks / flows to define.
> >
> >    If this has been debated before, i apologize - a quick look in
the
> >    archives raised nothing but ... it was a very _quick_ look :)
> >
> >    Last point: is there an irc channel where people meet around
argus
> >    ?
> >
> >    Regards,
> >
> >    yann.
> >
> >
> > --
> >    Yann.Berthier at hsc.fr * Hervé Schauer Consultants *
> http://www.hsc.fr/
> 
>

More information about the argus mailing list