Fwd: argus query

Carter Bullard carter at qosient.com
Fri Jan 25 10:34:20 EST 2008



Begin forwarded message:

> From: "Stewart Gray" <stew at frozenpea.net>
> Date: January 23, 2008 5:53:19 PM EST
> To: "Carter Bullard" <carter at qosient.com>
> Subject: Re: argus query
>
> Hi Carter,
>
> sorry about that, I'll sign up later today. Feel free to post what we
> have already discussed. I'm keen to be on the list anyway as I'm
> geniuinely keen to learn more about argus.
>
> I work in an ISP and we have 4 (and soon to be 9) IDS boxes which we
> also run argus on to capture TCP flows. While counting SYN & SYN/ACKS
> and so forth might be a rudimentary way of spotting DOS attacks, it
> allows us to get baseline figures as to what normal day-to-day traffic
> looks like. If we usually see 1000 SYN's and 900 SYN/ACKS (a
> difference of 100) and this difference suddenly jumps to 10,000 in the
> hour then this represents an anomoly (not neccassarily a DOS) but
> something that warrants further investigation. There are security
> appliances that do just this (esphion for example). My intent was
> really just to spot dropped connections (which are available in out
> firewall logs but not represented as well as cacti can do it) . I've
> used the same principle with the service disitributions. A huge
> increase in outbound UDP 53 packets with no or little increase in
> return packets could indicate an issue with an upstream DNS provider.
>
> Thanks heaps for the suggested commands. It doesn't look like I have
> radark or racluster, are these part of argus 3.0? I only have the
> tools as installed with argus-clients-2.0.6
>
> Cheers,
>
> Stewart
>
> On Jan 24, 2008 11:26 AM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Stewart,
>> I expected you to re-send your question to the list, any problems
>> with me forwarding it to the list?
>>
>> Not sure that knowing the syn, syn/ack, ack counts are going to get
>> you very far, but you can analyze argus data to give you good answers
>> to more direct questions regarding problems.
>>
>> The DoS attack is pretty easy to pick up based on load per local IP
>> address.  You generate a list of the IP addresses in your data, and
>> you pick out the local addresses and look to see if there total input
>> load is high.  You can filter data so you only work with data that  
>> came
>> from outside the local network and headed in:
>>
>>   racluster -r file -M rmon -m saddr -w - - ip and src net not
>> 192.168.0.0/16 and dst net 192.168.0.0/16 | \
>>   rasort -m dload - src net 192.168.0.0/16
>>
>> (substitute your local net address for the 192.168.0.0)
>> take a look at the output and you can get an idea if someone it  
>> slamming
>> something.
>>
>> Are you looking for scanners, or for failed TCP connection attempts?
>>
>> If  you're looking for scanners, try radark().  That may cover most  
>> of
>> what you're interested in.  But if you really are interested in  
>> counting
>> flow with specific TCP states or flags, use racluster() with a custom
>> racluster.conf configuration file, to generate the numbers you want.
>> This could get you started.
>>
>> ----racluster.conf------
>> filter="tcp and syn and not (synack or ack or fin or finack)"   
>> model="proto"
>> filter="tcp and synack and not (syn or fin or finack or con)"   
>> model="proto"
>> filter="tcp and ack and not (syn or synack or fin or finack or con)"
>> model="proto"
>> ----end file -----
>>
>>   racluster -r file -f racluster.conf -w - | ra -Zb -s state trans
>>
>> Carter
>>
>>
>> Stewart Gray wrote:
>>> Hi There,
>>>
>>> I used argus combined with cacti to produce attractive graphs on
>>> service distribution within a network I work in. I use 'ramon -M
>>> Matrix' to break down usage on different ports and have this fed  
>>> into
>>> cacti to spot any anomalies.
>>>
>>> I'm wanting to know if there is any way to have argus pump out a
>>> figure of how many syn, syn/ack, and ack packets are seen within an
>>> argus data file. I'm hoping this information will enable me to spot
>>> any DOS attacks on our network, a jump in SYN's might suggest a SYN
>>> flood or a increase in dropped packets on our firewall.
>>>
>>> I've had a good look through the argus-client suite and haven't been
>>> able to figure out how to do this. Do you know anyway to do it?
>>>
>>> Kind Regards,
>>>
>>> Stewart
>>>
>>>
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080125/af4856c2/attachment.html>


More information about the argus mailing list