argus 3 - direction determination algorithm

John Gerth gerth at graphics.stanford.edu
Tue Apr 6 15:22:27 EDT 2010


Having recently switched my sensor to argus3, I'm now trying to get my head around
some of the changes.  Today, one of my standard reports on IRC traffic lit up
indicating that dozens of our machines were now talking to servers with sketchy
reputations.

However, looking at the flows in detail with "ra -Zb ..." it seems what was really going on
was a remote SYN-ACK scan from those servers to which our machines were responding
with reset packets. However, argus claimed that our machines were the src IPs for the flow.

IIRC, argus3 changed the argus2 algorithm for determining flow direction. Now, I can
certainly imagine that SYN-ACK might be taken as an indication of a dst IP. If that's
true, I'm probably going to want to flip it back for the situation above.  I'm not
throwing a rock here. I understand direction determination is non-trivial.

Is there a description of the argus3 algorithm for direction determination?

-- 
John Gerth      gerth at cs.stanford.edu  Gates 378   (650) 725-3273  fax 723-0033



More information about the argus mailing list