Question about URL's and DNS Queries
Mark Poepping
poepping at cmu.edu
Thu Oct 22 18:13:43 EDT 2009
We are doing this for DNS. We don't exactly have it inline yet (our student
employee has midterms), but we use this information to feed network
diagnostics (and DNS server validation), security incident (IDS) efforts and
forensics, plus researcher investigations as appropriate. We use argus as
the probe for network traffic and currently translate the DNS query-response
data into EDDY (www.cmu.edu/eddy) for orchestration and normalization with
other log/performance data. All in all, we're still trying to get the hang
of the second and third-order values in this style of monitoring
information.
Mark.
-----Original Message-----
From: argus-info-bounces+poepping=cmu.edu at lists.andrew.cmu.edu
[mailto:argus-info-bounces+poepping=cmu.edu at lists.andrew.cmu.edu] On Behalf
Of Mark Bartlett
Sent: Thursday, October 22, 2009 1:57 PM
To: Carter Bullard
Cc: Argus
Subject: Re: [ARGUS] Question about URL's and DNS Queries
Thanks Carter.. That did the trick, like it always does.....
Anyone else using ARGUS for this purpose???
What I am trying to do is 'verify' if a user is going to malicious
sites.... So we have another mechanism with a 'black list' of sorts
that might trigger on a URL or IP Address and I am trying to 'verify'
that the user has gone to a 'bad site" with the ARGUS data.... I will
also be 'pulling' the DNS info for the same 'purpose'.....
mab
On Thu, Oct 22, 2009 at 1:45 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Mark,
> Try using radump(). It will decode the user data buffer according to
> a set of rules, and printout tcpdump() like output for the contents.
> You will need to tell it how much of the user data buffer you want it
> to decode, and that is specified using the "-s suser:128" option to
> specify the size.
>
> So:
> radump -r argus.out -s +suser:128 +duser:128 - port 53
>
> Or something like that.
>
> Carter
>
> On Oct 22, 2009, at 1:36 PM, Mark Bartlett wrote:
>
>> Hello all,
>>
>> I'm trying to 'see' URLs and DNS queries using ARGUS... I am using
>> the latest version of ARGUS and ARGUS-CLIENTS - Argus Version 3.0.2...
>>
>> Here is what I get with the DNS Queries:
>>
>> [root at argus_server argustest]# ra -F /opt/ARGUS/CONF/excel.rarc -r
>> argus.out - port 53
>>
>>
12345,192.168.50.138,192.168.100.33,17,32768,53,s[16]=.............rea,d[16]
=.............rea
>>
>>
12345,192.168.50.138,192.168.100.33,17,32768,53,s[16]=.............rea,d[16]
=.............rea
>>
>> and if I do a capture with TCPDUMP I get this:
>>
>> [root at argus_server ~]# tcpdump -nni eth0 -s 258 port 53
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 258 bytes
>> 13:15:23.482375 IP 192.168.50.138.32768 > 192.168.100.33.53: 57520+
>> A? reaper.gsirt.com. (34)
>> 13:15:23.483296 IP 192.168.100.33.53 > 192.168.50.138.32768: 57520*
>> 1/1/0 A 192.168.100.33 (64)
>>
>> So you can see it doesn't look like the suser data is 'right'???
>>
>> Here are my excel.rarc settings;
>>
>> RA_FIELD_DELIMITER=','
>> RA_PRINT_NAMES=none
>> RA_FIELD_SPECIFIER="srcid saddr daddr proto sport dport suser duser"
>>
>>
>> My argus.conf file has the following set:
>>
>> ARGUS_CAPTURE_DATA_LEN=256
>>
>> So question one: Am I using the 'right' command???
>>
>> Question two: Is there another 'setting' I need to configure to have
>> more than 16 spaces in the suser/duser values??
>>
>> And Carter, I was thinking about going to FloCon10... Any idea what
>> the registration fee is???
>>
>> Thanks.
>>
>> mark
>>
>
>
More information about the argus
mailing list