new clients 3.0.1.beta.3 on server

[Carter Bullard]

Gentle people,
There is new clients code on the server:
    ftp://qosient.com/dev/argus-3.0/argus-clients-3.0.2.beta.3.tar.gz

This fixes all known problems with argus-2.x data compatibility.
Fixes ./configure issues with "-lz".

There are some outstanding issues, but I don't have any reproducibility
on the problems with rastrip() and rastream() as of yet, so this
distribution should be usable.

This version has working copies of all the discussed software, including
database support and user data analysis (thats how we've referred to  
it).

I would like to mention the user data programs a bit here.

The purpose of this technology is to identify the protocol that is being
used in a give flow.  The concept is to generate a set of protocol
signatures, and to match the user data captured in argus records with
those signatures to give some assurance that the ports/addresses
are using the protocols they are suppose to use.  A kind of channel
assurance technology.

The program rauserdata() will take in any number of argus records,
and generate a set of application fingerprints, that describe the
"observed" patterns in application data.  These fingerprints are
used by raservices(), to label flows with the best guess as to what
application was seen in this flow.

To run rauserdata() against an argus archive in directory dir, type:

    rauserdata -R /path/to/dir -M encode 32 > protocol.sig

This may run for a little while.  The file is rather interesting.   
Here are
the entires that my run generated against all the DNS traffic I've had
for the past few days.

Service: domain      udp port 53    n = 12675 src = "    00   
00010000000000          "  dst = "    84  000100  00  00          "
Service: domain      udp port 53    n =  4922 src = "    00   
00010000000000          "  dst = "    80  00  00  00  00          "
Service: domain      udp port 53    n =  3469 src = "     
01000001000000000000        "  dst = "        000100  00  00          "
Service: domain      udp port 53    n =  1075 src = "     
00100001000000000001        "  dst = "    8500000100  00  0000        "
Service: domain      udp port 53    n =     1 src =  
"112A0100000100000000000006636D73"  dst =  
"112A8180000100040005000306636D73"
Service: domain      udp port 53    n =     1 src =  
"3FEA0010000100000000000108627469"  dst =  
"3FEA8500000100010000000008627469"
Service: domain      udp port 53    n =     1 src =  
"9C63001000010000000000011473736C"  dst =  
"9C63850000010001000000001473736C"

When you build your sig file, you would probably throw away the entries
whose "n =" is less than something like 0.01% of the total number of  
samples.

The "n = x" numbers provide raservices() with a notion of the  
distribution of
patterns in a given protocol, so it can make a better guess, if it has  
to.

I have a std.sig file in ./support/Config, that is a starting point  
for building
your own signature file.  I do not think that it is a particularly  
good set of
signatures, so its just a starting point.   Generating a good  
signature file
will take time, and I hope that this list will help to generate many  
many
signatures as time goes.

To use the signatures, use raservices() to label flows with the  
"service" label.

    raservices -f protocol.sig -r argus.file -s +label

this will print the services label that raservices generates.  You  
should see
that it should do a good job.  The included std.sig has some entries  
that
help to hightlight some of the features, such as "is there encrypted  
data"?
If so, it has some tests for that.

Please give these programs a run, and lets start talking about how to  
use
them effectively on the mailing list.

Hope all is most excellent,

Carter