strange packet patterns confusing argus
Carter Bullard
carter at qosient.com
Tue Mar 15 09:18:40 EST 2005
Hey Guys,
The TCP states are really direction-less, and
actually we use the SYN/SYNACK designation to determine
who the source and destination really are, so the
SYN is always coming from the source, and the SYNACK
is always coming from the destination, as long as its
a real TCP connection. We do keep up with which
direction the RESET is coming from, and so we do support
"src reset", or "dst reset" in the compiler.
So, the example you gave should be satisfied with this
filter:
ra -r file - tcp and syn and not synack and src reset
If this doesn't work, send mail!!!!
Carter
-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Russell Fulton
Sent: Monday, March 14, 2005 4:43 PM
To: Nick Giordano
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] strange packet patterns confusing argus
On Mon, 2005-03-14 at 16:06 -0600, Nick Giordano wrote:
> I don't really expect Argus to be able to understand whats happening but
> is there a filter expression that can help me find these types of
> attempts? I don't think I can say ra -nnn -r * - tcp and src syn and
> src rst and ! dst synack.
>
> Is there anyway to find flows with a syn and reset from the source but
> no synack from the destination? Or for that matter, anyway at all to
> assign src or dst to the flag primitives?
I tend to do this sort of stuff the simple minded way by post processing
the -Zb output through perl.
Hmm... what does ragator do with these two sessions?
Russell
More information about the argus
mailing list