Argus and AfterGlow

K K kkadow at gmail.com
Wed Jun 6 20:25:04 EDT 2007


Since meeting Raffy after his DEFCON talk, I've been fiddling with
AfterGlow off and on, and just recently started to feed it the output
of racluster.  Since the updated ra* tools output CSV directly,
argus2csv is no longer needed, and with a little effort you can
generate interesting graphs.

Simple example:
     racluster -r argus.cap -c, -s saddr daddr dport - 'tcp and dst
port lt 1024' | sort -u | afterglow.pl -o 4 -c color.properties |
neato -Tgif -o tcp.gif

Whether this looks interesting or like an outbreak of stachybotrys
depends on your network and choice of filter expression (upping the
'-o 4' value helps).  Also, I'd like to have racluster summarize by
dport so I can omit '| sort -u', but when I add "-m saddr daddr
dport", the resulting output is missing the dport entirely?


Here's another example, this time using the "two node mode" of
afterglow, to create a "directed graph" of SSH sessions:
     racluster -r argus.cap -m saddr daddr dport -c, -s saddr daddr -
'tcp and dst port 22' | afterglow.pl -t -e 2 -c color.properties |
neato -Tgif -o tcp22argus.gif

Results from the above, anonymized, can be seen here:
     http://secviz.org/?q=node/74


Kevin

(P.S.  Pending a new server, I hope to try AfterGlow 2.0-JAVA and
treemaps soon.)



More information about the argus mailing list