strange packet patterns confusing argus
Nick Giordano
ngiordano at mitre.org
Mon Mar 14 17:06:59 EST 2005
We are getting some odd network traffic that is playing games with the
state tables of Argus.
a.a.a.a 21222 -> b.b.b.b 80 SR_
a.a.a.a 21223 -> b.b.b.c 80 SR_
a.a.a.a 21224 -> b.b.b.d 80 SR_
a.a.a.a 21222 -> b.b.b.b 80 PA_SRA
a.a.a.a 21225 -> b.b.b.e 80 SR_
The source is sending a syn packet and then an reset packet. For some
reason the destination is disregarding the reset packet and continuing
the session. Argus sees the reset, closes the flow and logs the packet.
I don't really expect Argus to be able to understand whats happening but
is there a filter expression that can help me find these types of
attempts? I don't think I can say ra -nnn -r * - tcp and src syn and
src rst and ! dst synack.
Is there anyway to find flows with a syn and reset from the source but
no synack from the destination? Or for that matter, anyway at all to
assign src or dst to the flag primitives?
Nick
More information about the argus
mailing list