[ARGUS] Using ra to view 0 byte/packet dst flows?

Carter Bullard carter at qosient.com
Tue May 4 00:00:01 EDT 2004 

Hey Steve,
   If you want to find tcp flows that don't have any response
data, there is a "ra approved" way, but it may not do exactly
what you want without some additional switches.

   ra [options] - tcp and not dst data

this filter will find valid connections but no tcp payload
data from the receiver.  There are a lot of scenarios where
you can have real connections and this filter won't match it,
especially when you're monitoring in an asymmetric net.

Better to measure most of the states of tcp, so that you
can find just what you're looking for.  Say, you're looking
for tcp connections that have just syn's, with no response,
there are a large number of ways of doing it.  Below are three:

      ra [options] - tcp and syn and not synack
      ra [options] - tcp and syn and not con
      ra [options] - tcp and syn and not data

each have differing meanings, of course.

Not synack means that you saw a syn request, but there was
no syn ack reply from the responder.  With symmetric routing
(i.e. you see both sides of the traffic),  this is more
than adequate for finding syn scans, however, you will not find
connections that received a reset as a response.  If there
is asymmetric routing, then this can be fooled, since you may
not be able to monitor the return traffic.

Not con, means there was no response at all, so it will not match
those requests that receive RSTs.  So you just see tcp's that had
a Syn.  In asymmetric nets, this can also be fooled.

Not data, means there was no TCP payload, so even if there was
connection establishment (Syn with a SynAck), or if you don't
see the return traffic, because there was no user data passed
in the TCP, you'll have some assurance that you're seeing just
Syn scan type traffic.  If you're just worried about responses,
this may work:

   ra [options] - tcp and not dst data


The best to find just Syn traffic that has no response at all,
I'd try something like this:

   ra [options] - tcp and syn and not \(synack or ack or fin or finack or
reset or data or con\)


Carter




-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Steve McInerney
Sent: Monday, May 03, 2004 9:15 PM
To: argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] Using ra to view 0 byte/packet dst flows?

Hi All,

is there an "ra approved" way of showing flows that have zero
bytes/packets from the DST?
I haven't seen that there is any way of doing such a query via the
standard filters.


More a mildly curious question than anything, as I can more or less
duplicate the desired results via the following (post ragator'ed data
file) construct:

ra -n -s startime daddr dport dbytes - -r
argus-april.ragatored-http.argus | awk '{ if ($6 == 0) print $0 }' | tee
april.zero_http.txt


To put the actual Question in English:
Essentially we're looking for the date/times of flows where we had
nothing back from outgoing http requests.

Being able to do so in ra would provide a little more flexibility in the
output - not so dependant on what's in what column etc.


Thanks


- Steve

More information about the argus mailing list