rc.28 code on the server

Richard Bejtlich taosecurity at gmail.com
Tue Aug 29 16:37:17 EDT 2006 

On 8/28/06, Carter Bullard <CARTER at qosient.com> wrote:
> Gentle people,
> New release candidate code on the server that  fixes a number of
> problems
> posted to the mailing list.

Hi Carter and everyone,

This is a weird issue which appears with both Argus 2.0.6 (from
FreeBSD ports tree) and rc.28 (which compiles fine on FreeBSD 6.1
SECURITY).

I have a Libpcap trace that does not have any other traffic besides
that involving host 192.168.0.10, i.e.:

orr:/home/richard$ tcpdump -n -r dump.cap not host 192.168.0.10
reading from file dump.cap, link-type EN10MB (Ethernet)
orr:/home/richard$

However, check out these results from Argus:

orr:/usr/local/src/argus-3.0.0.rc.28/bin$ ./argus -r
/home/richard/dump.cap -w /home/richard/dump.cap.arg3

orr:/usr/local/src/argus-3.0.0.rc.28/bin$ cd
/usr/local/src/argus-clients-3.0.0.rc.28/bin/

orr:/usr/local/src/argus-clients-3.0.0.rc.28/bin$ ./ra -n -r
/home/richard/dump.cap.arg3 -- not host 192.168.0.10

    20:34:41.313092             arp       192.168.0.10          who
    192.168.0.1               2        2           84          120
CON
    20:34:48.293810             arp        192.168.0.2          who
   192.168.0.10               1        1           60           42
CON
    20:36:40.787045             tcp          80.2.0.16.4482      ->
        0.0.0.0.67            1        0           54            0
REQ
    16:20:56.030858             man           34668616      0
     2925593600 838861   153147        0   2925593600    285249248
SHT
    19:00:00.000000             man           34668616      0
     2925593600 838861        0        0   2925593600    285249248
SHT
    19:00:00.000000
                              0        0            0            0
UNK
ra[7756]: 16:22:25.961478 ArgusReadStreamSocket (0x81c8dc4) record
length is zero

Where is 80.2.0.16.4482 coming from?

I get the same results with 2.0.6:

orr:/home/richard$ tcpdump -n -r dump.cap not host 192.168.0.10
reading from file dump.cap, link-type EN10MB (Ethernet)
orr:/home/richard$

orr:/home/richard$ argus -r dump.cap -w dump.cap.arg2

orr:/home/richard$ ra -n -r dump.cap.arg2 -- not host 192.168.0.10

29 Aug 06 16:26:21           man  229.97.122.203  v2.0
  1 0     0        0         0            0           STA
28 Aug 06 20:36:40           tcp       80.2.0.16.4482  <->
0.0.0.0.bootp 1        0         54           0           TIM
29 Aug 06 16:26:21           man  229.97.122.203  v2.0
69190 0     153147   0         17775603     69188       SHT

Again:

orr:/home/richard$ tcpdump -n -r dump.cap host 80.2.0.16
reading from file dump.cap, link-type EN10MB (Ethernet)
orr:/home/richard$

There are three records with IP 0.0.0.0 however:

orr:/home/richard$ tcpdump -n -r dump.cap host 0.0.0.0
reading from file dump.cap, link-type EN10MB (Ethernet)
20:34:51.287780 IP 0.0.0.0.63000 > 192.168.0.10.60000: S 6334:6334(0) win 512
20:34:51.867606 IP 0.0.0.0.63000 > 192.168.0.10.60000: S 6334:6334(0) win 512
20:34:52.868105 IP 0.0.0.0.63000 > 192.168.0.10.60000: S 6334:6334(0) win 512

Please tell me I am making a dumb mistake!

I've posted dump.cap here

http://www.taosecurity.com/dump.cap.gz

If anyone wants to try it.

Thank you,

Richard

PS:  I did not generate this trace.  Someone running a scan for Snort did.

More information about the argus mailing list