Question about URL's and DNS Queries

Thu Oct 22 13:57:21 EDT 2009

Thanks Carter.. That did the trick, like it always does.....

Anyone else using ARGUS for this purpose???

What I am trying to do is 'verify' if a user is going to malicious
sites....  So we have another mechanism with a 'black list' of sorts
that might trigger on a URL or IP Address and I am trying to 'verify'
that the user has gone to a 'bad site" with the ARGUS data....  I will
also be 'pulling' the DNS info for the same 'purpose'.....

mab

On Thu, Oct 22, 2009 at 1:45 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Mark,
> Try using radump().  It will decode the user data buffer according to
> a set of rules, and printout tcpdump() like output for the contents.
> You will need to tell it how much of the user data buffer you want it
> to decode, and that is specified using the "-s suser:128" option to
> specify the size.
>
> So:
>   radump -r argus.out -s +suser:128 +duser:128 - port 53
>
> Or something like that.
>
> Carter
>
> On Oct 22, 2009, at 1:36 PM, Mark Bartlett wrote:
>
>> Hello all,
>>
>> I'm trying to 'see' URLs and DNS queries using ARGUS...  I am using
>> the latest version of ARGUS and ARGUS-CLIENTS - Argus Version 3.0.2...
>>
>> Here is what I get with the DNS Queries:
>>
>> [root at argus_server argustest]# ra -F /opt/ARGUS/CONF/excel.rarc -r
>> argus.out - port 53
>>
>> 12345,192.168.50.138,192.168.100.33,17,32768,53,s[16]=.............rea,d[16]=.............rea
>>
>> 12345,192.168.50.138,192.168.100.33,17,32768,53,s[16]=.............rea,d[16]=.............rea
>>
>> and if I do a capture with TCPDUMP I get this:
>>
>> [root at argus_server ~]# tcpdump -nni eth0 -s 258 port 53
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 258 bytes
>> 13:15:23.482375 IP 192.168.50.138.32768 > 192.168.100.33.53:  57520+
>> A? reaper.gsirt.com. (34)
>> 13:15:23.483296 IP 192.168.100.33.53 > 192.168.50.138.32768:  57520*
>> 1/1/0 A 192.168.100.33 (64)
>>
>> So you can see it doesn't look like the suser data is 'right'???
>>
>> Here are my excel.rarc settings;
>>
>> RA_FIELD_DELIMITER=','
>> RA_PRINT_NAMES=none
>> RA_FIELD_SPECIFIER="srcid saddr daddr proto sport dport suser duser"
>>
>>
>> My argus.conf file has the following set:
>>
>> ARGUS_CAPTURE_DATA_LEN=256
>>
>> So question one:  Am I using the 'right' command???
>>
>> Question two:  Is there another 'setting' I need to configure to have
>> more than 16 spaces in the suser/duser values??
>>
>> And Carter, I was thinking about going to FloCon10... Any idea what
>> the registration fee is???
>>
>> Thanks.
>>
>> mark
>>
>
>