argus 3 - direction determination algorithm

Carter Bullard carter at qosient.com
Tue Apr 6 15:58:39 EDT 2010 

Hey John,
In argus-3.0, we removed most of the direction logic out of argus, and moved
it into the clients, just for this very situation.  argus-2.x would declare that the
originator of a SYN_ACK packet was the destination, regardless of what was
going on, and we put a lot of complex logic in the clients to try to deal with
that when it was a A.SYN_ACK / B.RESET volley.

You should be getting that A is the source, now, and that B is the destination.
If that is not correct, then, could you send some flow records that demonstrate
the problem, so I can debug?  Better yet, if you had a packet capture, then
I can debug the whole flow thread.  I'll look around for a packet trace, maybe
on 

Thanks!!!!

Carter

On Apr 6, 2010, at 3:22 PM, John Gerth wrote:

> Having recently switched my sensor to argus3, I'm now trying to get my head around
> some of the changes.  Today, one of my standard reports on IRC traffic lit up
> indicating that dozens of our machines were now talking to servers with sketchy
> reputations.
> 
> However, looking at the flows in detail with "ra -Zb ..." it seems what was really going on
> was a remote SYN-ACK scan from those servers to which our machines were responding
> with reset packets. However, argus claimed that our machines were the src IPs for the flow.
> 
> IIRC, argus3 changed the argus2 algorithm for determining flow direction. Now, I can
> certainly imagine that SYN-ACK might be taken as an indication of a dst IP. If that's
> true, I'm probably going to want to flip it back for the situation above.  I'm not
> throwing a rock here. I understand direction determination is non-trivial.
> 
> Is there a description of the argus3 algorithm for direction determination?
> 
> -- 
> John Gerth      gerth at cs.stanford.edu  Gates 378   (650) 725-3273  fax 723-0033
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100406/737d0387/attachment.bin>

More information about the argus mailing list