Argus and AfterGlow

K K kkadow at gmail.com
Thu Jun 7 20:15:32 EDT 2007


On 6/7/07, Raffael Marty <raffy at raffy.ch> wrote:
> ranonymize() sounds interesting. I need to try that out.

A powerful tool, the original announcement is here:
http://osdir.com/ml/network.argus/2002-10/msg00004.html

While built to anonymize argus records, the logic could translate to a
replacement for afterglow's "anonymize.pl"?


For uploading to secviz.org , I wanted to make it clear which IP
addresses were in ranges designated for dialups, VPN, servers, etc,
without actually showing intranet DNS names, so I ran the CSV through
my own simple scrubber.

Normally, when post-processing the output of racluster for a report, I
pass it through a Perl script we have which grabs any IPv4 addresses
in the CSV and does it's damnedest to translate private IPs into
names, going so far as to run "nmblookup" on the off chance the host
registered with Active Directory.


> Kevin, tell me, the SSH graph you posted, where is the rogue management
> tool?

In my anonymized data,there are two clusters in the lower left,  hosts
which initiate many outbound SSH session but have no inbound sessions.

What's not apparent in the graph is that once a minute, 10.9.64.136
brings up an SSH session to each of 19 hosts.  That's 3,600 ssh
sessions to each managed machine, 68K sessions per day.


> And I guess your config for colors is blue=target, red=source,
> pink=source/target. BTW, there were some bugs in AfterGlow with coloring.
> I will submit a fix to CSV in a minute. There are some other cool features
> too in 1.5.8 ;)

Correct, I used the default color.properties, I'll watch for 1.5.8.

I'll going to try building a more complex "properties" file for
afterglow,  I'm thinking about ways to represent the number of unique
TCP sessions, and data volume.  I'm guessing this is where I'd use
edgeColorExp?


> Keep me posted on your work. If you have more example graphs, I would love
> to see them!

We're migrating the project to a big V490 and to Solaris; once that's
up and running (I've spent all day getting the right GNU packages and
building binaries) I should have more results to share, and enough CPU
and RAM to do more interesting visualizations of longer term data.


With the graph I'd uploaded, another suspicious area is a long chain
of host->host->host->host sessions, suggesting somebody is leveraging
trust relationships to hop across the network, maybe ending up
somewhere they shouldn't.

Or more likely (per Hanlon's law), the user just forgot how to type
'exit', and they're wondering why everything gets slower and slower as
they chain sessions...

Kevin



More information about the argus mailing list