argus 3.x request (forwarded)

Carter Bullard carter at qosient.com
Mon Jan 25 12:44:29 EST 2010 

> Subject: [ARGUS] flocon 2010 presentations on the web
> From: Carter Bullard <carter at qosient.com>
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Date: Fri, 22 Jan 2010 14:00:43 -0500
> 
> Gentle people,
> I've updated the argus home page and I've put a list of what I was going
> to do for version 3.0.4.  If you have any ideas, I'd love to include them!!!

Hi Carter!

Two things I've been missing in my argus data:

1.
You already have:
             s      -  Src TCP packet retransmissions
             d      -  Dst TCP packet retransmissions
             *      -  Both Src and Dst TCP retransmissions

I would like argus to distinguish between retransmissions and duplicate copies of a frame.

Why, you ask?
Well, because it is very common that customers setup faulty SPAN mirroring. So the sensor (i.e. argus) receive two identical copies of a frame.
(In HP procurve switches, it is even "common" to have one copy of packets in one direction but two copies in the other...)

The problem is how the switches deal with "in", "out", "both" mirroring and VLAN-mirroring (opposite to port mirroring).


Right now the unwanted extra copies register as "retransmissions" even though no TCP retransmission has occurred.

I would like Argus to be able to distinguish between the two scenarios so it don't give false retransmission statistics and to help me spot customers with a faulty SPAN setup.



2.
I would like argus to store all DNS requests and/or responses (configurable).
This way I would have a database of requested hostnames which can be used to:
* match lookups against a database of known bad hostnames/strings
* afterwards be able to figure out the actual hostname of a web server without the payload from the GET request header (the "Host:" line).


(I currently use Argus 2.x, so if any of the above is already invented, I'm sorry to have wasted your time with this email :-)   )


/Martin



PS.
In a perfect world, I would like argus to be able to keep state of the "identity" behind IPs. I.e. argus should know how to decode specific protocols and look for data that might identify this IP (apart from the current IP and Mac).
Example:
From Windows NetBIOS packets you can get the hostname and MAC address of an IP (get MAC even if the sensor is not located on the same segment as the client).
From NetBIOS/SMB packets you can get usernames, this is usually nice information to have when trying to determine "who did the p2p filetransfer" or whatever.
From DNS responses you can get hostnames for IPs.
From DHCP/bootp you can get hostnames for IPs.

Apart from the vast work of developing all the protocol decoding needed, you would also need a smart way to store changes in Identification, and even harder - methods to query this information based on time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100125/f4dff439/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100125/f4dff439/attachment.bin>

More information about the argus mailing list