Argus-info Digest, Vol 43, Issue 17

CS Lee geek00l at gmail.com
Mon Mar 16 08:34:14 EDT 2009


hi carter,

For the service fingerprint, I notice you have signature like this -

dst = "    84  000100  00  00          "

Does it mean those in the blank can be any byte value?

On the other hand, do you suggest using racluster to merge the flow so we
don't get much of midstream in ra flow record before generate the
signatures, and also it avoids a lot of unidentified flow record as they are
in midstream.

Plus do rauserdata has radump capability where it can decode certain
protocols correctly and i think that will help in generating clean
signatures too.

Thanks for the new tool, again!


On Sun, Mar 15, 2009 at 12:00 AM,
<argus-info-request at lists.andrew.cmu.edu>wrote:

> Send Argus-info mailing list submissions to
>        argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
>        argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
>        argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
>   1.  new clients 3.0.1.beta.3 on server (Carter Bullard)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 13 Mar 2009 15:22:20 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: [ARGUS] new clients 3.0.1.beta.3 on server
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <69954D7A-4D5F-485B-A3D1-80B107022A09 at qosient.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> Gentle people,
> There is new clients code on the server:
>    ftp://qosient.com/dev/argus-3.0/argus-clients-3.0.2.beta.3.tar.gz
>
> This fixes all known problems with argus-2.x data compatibility.
> Fixes ./configure issues with "-lz".
>
> There are some outstanding issues, but I don't have any reproducibility
> on the problems with rastrip() and rastream() as of yet, so this
> distribution should be usable.
>
> This version has working copies of all the discussed software, including
> database support and user data analysis (thats how we've referred to
> it).
>
> I would like to mention the user data programs a bit here.
>
> The purpose of this technology is to identify the protocol that is being
> used in a give flow.  The concept is to generate a set of protocol
> signatures, and to match the user data captured in argus records with
> those signatures to give some assurance that the ports/addresses
> are using the protocols they are suppose to use.  A kind of channel
> assurance technology.
>
> The program rauserdata() will take in any number of argus records,
> and generate a set of application fingerprints, that describe the
> "observed" patterns in application data.  These fingerprints are
> used by raservices(), to label flows with the best guess as to what
> application was seen in this flow.
>
> To run rauserdata() against an argus archive in directory dir, type:
>
>    rauserdata -R /path/to/dir -M encode 32 > protocol.sig
>
> This may run for a little while.  The file is rather interesting.
> Here are
> the entires that my run generated against all the DNS traffic I've had
> for the past few days.
>
> Service: domain      udp port 53    n = 12675 src = "    00
> 00010000000000          "  dst = "    84  000100  00  00          "
> Service: domain      udp port 53    n =  4922 src = "    00
> 00010000000000          "  dst = "    80  00  00  00  00          "
> Service: domain      udp port 53    n =  3469 src = "
> 01000001000000000000        "  dst = "        000100  00  00          "
> Service: domain      udp port 53    n =  1075 src = "
> 00100001000000000001        "  dst = "    8500000100  00  0000        "
> Service: domain      udp port 53    n =     1 src =
> "112A0100000100000000000006636D73"  dst =
> "112A8180000100040005000306636D73"
> Service: domain      udp port 53    n =     1 src =
> "3FEA0010000100000000000108627469"  dst =
> "3FEA8500000100010000000008627469"
> Service: domain      udp port 53    n =     1 src =
> "9C63001000010000000000011473736C"  dst =
> "9C63850000010001000000001473736C"
>
> When you build your sig file, you would probably throw away the entries
> whose "n =" is less than something like 0.01% of the total number of
> samples.
>
> The "n = x" numbers provide raservices() with a notion of the
> distribution of
> patterns in a given protocol, so it can make a better guess, if it has
> to.
>
> I have a std.sig file in ./support/Config, that is a starting point
> for building
> your own signature file.  I do not think that it is a particularly
> good set of
> signatures, so its just a starting point.   Generating a good
> signature file
> will take time, and I hope that this list will help to generate many
> many
> signatures as time goes.
>
> To use the signatures, use raservices() to label flows with the
> "service" label.
>
>    raservices -f protocol.sig -r argus.file -s +label
>
> this will print the services label that raservices generates.  You
> should see
> that it should do a good job.  The included std.sig has some entries
> that
> help to hightlight some of the features, such as "is there encrypted
> data"?
> If so, it has some tests for that.
>
> Please give these programs a run, and lets start talking about how to
> use
> them effectively on the mailing list.
>
> Hope all is most excellent,
>
> Carter
>
>
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 43, Issue 17
> ******************************************
>



-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090316/e9825e20/attachment.html>


More information about the argus mailing list