Teredo discovery support now in argus-3.0.3

[Carter Bullard]

Gentle people,
With some out of band discussion on the teredo support, I've
changed the default behavior of argus() to simply mark potential
teredo tunnels, using the encapsulation bit mask, but report
the flow as the traditional base IPv4 / UDP flow.  I'll upload this
version of argus-3.0.3 in the next round (possibly tomorrow).

For those unaware, teredo is IPv6 over UDP, and is turned on by
default in Windows Vista and 7.  This is a potential security problem,
thus the need to be able to detect its use.

This makes sense, as the traditional IPv4/UDP flow has end-to-end
network relevance (firewall policy enforcement, qos, src and end-
point identification), so it is important to be able to report this
as the parent flow.  Important thing is to indicate potential use of
teredo in the flow mix.

To find potential teredo flows, you can use the filter "encaps teredo", or
print the 'senc' and/or 'denc' fields and look for an uppercase 'T', which
indicates teredo encapsulation.


There is now an argus.conf variable to turn on ARGUS_TUNNEL_DISCOVERY,
which will cause argus to parse up the stack and find the highest parsed
transport header to report as the flow.  To test and develop this new strategy,
we'll use teredo as the test case protocol to develop the supporting data
structures to make this work really well.

So, if you have a packet capture, and you suspect teredo, argus will
currently print out the IPv6, and upper transport identifiers, when the
ARGUS_TUNNEL_DISCOVERY variable is  "yes".

There is a packet capture file with Teredo packets in them at
http://wiki.wireshark.org/SampleCaptures in the IPv6 (and tunneling
mechanism) section, called Teredo.pcap.  Argus does very well
with this file, showing better than wireshark at discovering teredo
in all the UDP flows.

If you have an opinion, please don't hesitate to send it to the list!!!

Carter




On Feb 10, 2010, at 6:12 PM, Carter Bullard wrote:

> Gentle people,
> argus-3.0.3 now has support for Teredo tunnel discovery.  The discovery is done
> on any UDP packet that is not DNS.   Currently we are using a rather simple
> algorithm for discovering IPv6 traffic in the stream, but it seems to be working pretty
> well.  The flows will have IPv6 identifiers in the flow keys.
> 
> argus-client-3.0.3 support currently involves filter support using "encaps teredo".
>   ra -r argus.file - encaps teredo
> 
> Currently, teredo tunnel discovery is turned on by default, and I'll change that
> quickly if we have any major false teredo reporting (has been working for me
> for quite a while).
> 
> If you start to see a lot of IPv6 that is surprising, either there is teredo,
> and argus is reporting udp and tcp traffic over IPv6, or we've got bad teredo
> matching logic, and we'll need to fix it.  Best  way to tell is to look at the
> user data, and if the protocols match up with the ports, then its teredo.
> 
> Hope all is most excellent,
> 
> Carter
> 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100211/19b5b664/attachment.bin>