Argus-info Digest, Vol 43, Issue 17

Carter Bullard carter at qosient.com
Mon Mar 16 13:36:34 EDT 2009 

Yes, regarding fields that don't have values, in this algorithm, you  
are correct.

Yes, racluster() is a good thing to experiment, however, many protocols
have recurring patterns in every packet, and the way that argus  
generates
its user data capture, trends like this will be detectable.

So clustering is not really a part of the purpose of the tools.

The trick to raservices(), is that it finds the best guess protocol on a
particular port when the protocol doesn't conform to the set of  
signatures
for that port.  So we'll discover the protocol, so to speak.

As an example to address all your questions, when I ftp a set of argus  
files
that are large enough to generate multiple argus records, on a good day
raservices() will identify the first set of flow status reports as  
having
"ftp-data" as the service, but many of the intermediate flow status  
records
will be reported as "argus" (not all but many).

I think that is a good example of what we would be trying to accomplish
with these types of tools.  We have a long way to making them
useful, but this is a start.

Carter

On Mar 16, 2009, at 8:34 AM, CS Lee wrote:

> hi carter,
>
> For the service fingerprint, I notice you have signature like this -
>
> dst = "    84  000100  00  00          "
>
> Does it mean those in the blank can be any byte value?
>
> On the other hand, do you suggest using racluster to merge the flow  
> so we don't get much of midstream in ra flow record before generate  
> the signatures, and also it avoids a lot of unidentified flow record  
> as they are in midstream.
>
> Plus do rauserdata has radump capability where it can decode certain  
> protocols correctly and i think that will help in generating clean  
> signatures too.
>
> Thanks for the new tool, again!
>
>
> On Sun, Mar 15, 2009 at 12:00 AM, <argus-info-request at lists.andrew.cmu.edu 
> > wrote:
> Send Argus-info mailing list submissions to
>        argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
>        argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
>        argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
>   1.  new clients 3.0.1.beta.3 on server (Carter Bullard)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 13 Mar 2009 15:22:20 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: [ARGUS] new clients 3.0.1.beta.3 on server
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <69954D7A-4D5F-485B-A3D1-80B107022A09 at qosient.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> Gentle people,
> There is new clients code on the server:
>    ftp://qosient.com/dev/argus-3.0/argus-clients-3.0.2.beta.3.tar.gz
>
> This fixes all known problems with argus-2.x data compatibility.
> Fixes ./configure issues with "-lz".
>
> There are some outstanding issues, but I don't have any  
> reproducibility
> on the problems with rastrip() and rastream() as of yet, so this
> distribution should be usable.
>
> This version has working copies of all the discussed software,  
> including
> database support and user data analysis (thats how we've referred to
> it).
>
> I would like to mention the user data programs a bit here.
>
> The purpose of this technology is to identify the protocol that is  
> being
> used in a give flow.  The concept is to generate a set of protocol
> signatures, and to match the user data captured in argus records with
> those signatures to give some assurance that the ports/addresses
> are using the protocols they are suppose to use.  A kind of channel
> assurance technology.
>
> The program rauserdata() will take in any number of argus records,
> and generate a set of application fingerprints, that describe the
> "observed" patterns in application data.  These fingerprints are
> used by raservices(), to label flows with the best guess as to what
> application was seen in this flow.
>
> To run rauserdata() against an argus archive in directory dir, type:
>
>    rauserdata -R /path/to/dir -M encode 32 > protocol.sig
>
> This may run for a little while.  The file is rather interesting.
> Here are
> the entires that my run generated against all the DNS traffic I've had
> for the past few days.
>
> Service: domain      udp port 53    n = 12675 src = "    00
> 00010000000000          "  dst = "    84  000100  00  00          "
> Service: domain      udp port 53    n =  4922 src = "    00
> 00010000000000          "  dst = "    80  00  00  00  00          "
> Service: domain      udp port 53    n =  3469 src = "
> 01000001000000000000        "  dst = "        000100  00   
> 00          "
> Service: domain      udp port 53    n =  1075 src = "
> 00100001000000000001        "  dst = "    8500000100  00   
> 0000        "
> Service: domain      udp port 53    n =     1 src =
> "112A0100000100000000000006636D73"  dst =
> "112A8180000100040005000306636D73"
> Service: domain      udp port 53    n =     1 src =
> "3FEA0010000100000000000108627469"  dst =
> "3FEA8500000100010000000008627469"
> Service: domain      udp port 53    n =     1 src =
> "9C63001000010000000000011473736C"  dst =
> "9C63850000010001000000001473736C"
>
> When you build your sig file, you would probably throw away the  
> entries
> whose "n =" is less than something like 0.01% of the total number of
> samples.
>
> The "n = x" numbers provide raservices() with a notion of the
> distribution of
> patterns in a given protocol, so it can make a better guess, if it has
> to.
>
> I have a std.sig file in ./support/Config, that is a starting point
> for building
> your own signature file.  I do not think that it is a particularly
> good set of
> signatures, so its just a starting point.   Generating a good
> signature file
> will take time, and I hope that this list will help to generate many
> many
> signatures as time goes.
>
> To use the signatures, use raservices() to label flows with the
> "service" label.
>
>    raservices -f protocol.sig -r argus.file -s +label
>
> this will print the services label that raservices generates.  You
> should see
> that it should do a good job.  The included std.sig has some entries
> that
> help to hightlight some of the features, such as "is there encrypted
> data"?
> If so, it has some tests for that.
>
> Please give these programs a run, and lets start talking about how to
> use
> them effectively on the mailing list.
>
> Hope all is most excellent,
>
> Carter
>
>
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 43, Issue 17
> ******************************************
>
>
>
> -- 
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090316/e9c89010/attachment.html>

More information about the argus mailing list