[ARGUS] has anyone seen ra output with a '*' for source port?
Carter Bullard
carter at qosient.com
Fri Sep 10 13:04:28 EDT 2004
Hey Nick,
port numbers of '*' are equal to zero. These are illegal port numbers
for udp and tcp, and so you usually have some interesting problems if you
see them (looks like you've got a port scan with an poorly crafted packet).
ragator() when it merges records together that have differing port
numbers (happens when the rule doesn't include the port number in the
flow classification rules), will set the port to zero, and so ra() will
print '*' to indicate that it is a wildcarded port.
if this is causing problems (say in a perl parsing script or something),
a few -n options should revert it to '0'. If not, then I need to fix it.
Carter
> From: Nick Giordano <ngiordano at mitre.org>
> Date: Fri, 10 Sep 2004 11:56:09 -0500
> To: <argus-info at lists.andrew.cmu.edu>
> Subject: [ARGUS] has anyone seen ra output with a '*' for source port?
>
> Here is what my output from ra looks like.
>
>
> 1091846925,17,192.168.26.254,*,->,192.168.26.255,1025,1,0,911,0,TIM
> 1091846925,17,192.168.26.254,*,->,192.168.26.255,1027,1,0,911,0,TIM
> 1091846925,17,192.168.26.254,*,->,192.168.26.255,1029,1,0,911,0,TIM
>
> My first question is what does the packet have to look like to make
> argus/ra list the source port a '*' ? How is it possible to have an
> empty source port in a TCP packet?
>
> Thanks,
>
> Nick
>
>
More information about the argus
mailing list