Argus and AfterGlow
carter at qosient.com
carter at qosient.com
Thu Jun 7 17:30:33 EDT 2007
Most Excellent!!!
On the port cluster, you have to include the proto field to get the port.
"-m saddr daddr proto dport"
Did you want to try ranonymize()?
Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-----Original Message-----
From: "K K" <kkadow at gmail.com>
Date: Wed, 6 Jun 2007 19:25:04
To:Argus <argus-info at lists.andrew.cmu.edu>
Cc:raffy at raffy.ch
Subject: [ARGUS] Argus and AfterGlow
Since meeting Raffy after his DEFCON talk, I've been fiddling with
AfterGlow off and on, and just recently started to feed it the output
of racluster. Since the updated ra* tools output CSV directly,
argus2csv is no longer needed, and with a little effort you can
generate interesting graphs.
Simple example:
racluster -r argus.cap -c, -s saddr daddr dport - 'tcp and dst
port lt 1024' | sort -u | afterglow.pl -o 4 -c color.properties |
neato -Tgif -o tcp.gif
Whether this looks interesting or like an outbreak of stachybotrys
depends on your network and choice of filter expression (upping the
'-o 4' value helps). Also, I'd like to have racluster summarize by
dport so I can omit '| sort -u', but when I add "-m saddr daddr
dport", the resulting output is missing the dport entirely?
Here's another example, this time using the "two node mode" of
afterglow, to create a "directed graph" of SSH sessions:
racluster -r argus.cap -m saddr daddr dport -c, -s saddr daddr -
'tcp and dst port 22' | afterglow.pl -t -e 2 -c color.properties |
neato -Tgif -o tcp22argus.gif
Results from the above, anonymized, can be seen here:
http://secviz.org/?q=node/74
Kevin
(P.S. Pending a new server, I hope to try AfterGlow 2.0-JAVA and
treemaps soon.)
More information about the argus
mailing list