Broken Reset Filter, possible bug
Nick Diel
ndiel at engr.colostate.edu
Mon Mar 10 12:37:22 EDT 2008
It appears that the filter "not reset" only works some of the time. I
noticed this trying to use the filter: "not ((syn or synack) and (fin or
finack or reset)." Then doing the following command gave me lots of
entries with resets.
diel at morte:~$ ra -r /lander/dump-110707/argus/port80/argus.out -z - "not
((syn or synack) and (fin or finack or reset))" | egrep "(s|S).*R"
09:01:29.947638 e tcp 184.3.136.54.3000 ->
87.123.62.161.www 9 3331 sSER
09:01:29.949058 e tcp 184.3.136.54.3001 ->
87.123.62.149.www 9 3545 sSER
09:01:29.950426 e tcp 184.3.136.54.3002 ->
87.123.62.169.www 17 7560 sSER
09:01:29.952302 e tcp 165.72.129.19.1170 ->
34.208.115.191.www 27 7275 sER
09:01:29.958305 e d tcp 184.3.136.54.3003 ->
87.123.62.145.www 12 4352 sSER
09:01:29.959940 e tcp 184.3.136.54.3004 ->
87.123.62.134.www 12 6051 sSER
09:01:29.960089 e tcp 184.3.136.54.3005 ->
87.123.62.148.www 12 6247 sSER
09:01:29.968459 e tcp 164.34.224.106.3188 ->
201.79.50.56.www 22 13350 sSER
09:01:29.997532 e tcp 165.1.181.212.3415 ->
50.17.254.186.www 5 1076 sER
09:01:30.032242 e tcp 164.109.105.182.www ->
35.69.108.245.11889 2 120 SR
09:01:30.044153 e tcp 165.1.181.212.3416 ->
50.17.254.187.www 5 1076 sER
09:01:30.067214 e tcp 111.237.214.170.www ->
157.216.170.55.2676 3 180 SR
09:01:30.089935 e s tcp 184.3.186.45.2907 <?>
192.48.235.79.www 188 107626 EfR
09:01:30.100910 e tcp 166.240.172.90.59566 ->
87.123.62.128.www 13 6634 sSER
09:01:30.103517 e tcp 164.61.150.68.3211 ->
110.11.67.104.www 12 4974 sSER
09:01:30.115002 e tcp 166.240.172.90.59567 ->
87.123.62.187.www 20 10100 sSER
09:01:30.136030 e tcp 154.188.62.27.44895 ->
192.48.236.65.www 45 25645 sER
09:01:30.196479 e tcp 164.34.106.254.4943 ->
111.101.7.193.www 94 89890 sSER
09:01:30.203517 e tcp 37.41.109.12.www ->
161.164.184.133.49588 26 8562 SER
09:01:30.219369 e tcp 138.123.105.215.3823 ->
164.34.222.121.www 474 39800 sER
09:01:30.227540 e tcp 110.87.125.122.1297 ->
164.61.200.76.www 7 2018 sSER
09:01:30.262842 e tcp 36.177.74.81.www ->
184.3.145.197.1789 13 13719 SEfR
09:01:30.309841 e tcp 36.7.245.63.www ->
161.164.204.185.4015 4 1043 SER
09:01:30.346086 e tcp 164.109.84.242.www ->
93.188.153.157.1149 35 24250 SER
09:01:30.398819 e tcp 154.188.84.193.35920 ->
36.132.97.243.www 7 1326 sSER
09:01:30.422082 eI S tcp 62.122.56.21.1760 ?>
165.72.184.212.www 4 240 ER
09:01:30.476588 e tcp 110.87.125.122.14990 ->
164.61.200.229.www 66 59404 sSER
09:01:30.477389 e tcp 186.218.90.219.8462 ->
37.28.161.174.www 10 3217 sSER
09:01:30.493936 e tcp 186.218.123.100.57084 ->
192.48.236.127.www 11 3698 sER
09:01:30.528469 e tcp 157.216.249.22.3938 ->
201.79.50.57.www 16 9274 sSER
09:01:30.574783 e tcp 165.72.159.144.49402 ->
192.48.236.205.www 7 3187 sER
09:01:30.608215 e d tcp 161.164.237.92.2270 ->
192.73.184.102.www 42 33320 sSER
..........
I have attached a file with a few flow entries in them that have this
behavior.
Notice this unusual output with this sample file:
diel at morte:~$ ra -r resetExample.argus -z
09:01:44.589353 e tcp 164.109.174.238.42969 ->
36.174.95.100.www 34 20482 sSER
09:01:44.925242 e tcp 164.109.174.238.42970 ->
36.174.95.100.www 74 38620 sSER
09:01:45.112644 e tcp 164.109.174.238.42971 ->
36.174.95.100.www 69 36967 sSER
09:02:12.675158 e tcp 164.109.174.238.42973 ->
36.174.95.100.www 108 68948 sSER
09:03:41.503642 e tcp 164.109.174.238.42975 ->
36.174.95.100.www 51 33970 sSER
09:06:27.431113 e tcp 164.109.174.238.42998 ->
36.174.95.100.www 7 2681 sSER
versus
diel at morte:~$ ra -r resetExample.argus -z - not reset
09:01:44.589353 e tcp 164.109.174.238.42969 ->
36.174.95.100.www 34 20482 sSER
09:02:12.675158 e tcp 164.109.174.238.42973 ->
36.174.95.100.www 108 68948 sSER
09:03:41.503642 e tcp 164.109.174.238.42975 ->
36.174.95.100.www 51 33970 sSER
Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: resetExample.argus
Type: application/octet-stream
Size: 1816 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080310/ea8f712d/attachment.obj>
More information about the argus
mailing list