raports results after racluster or ra -w .. of original data files

Carter Bullard carter at qosient.com
Thu Jul 15 17:43:42 EDT 2010


Hey  Michael,
I assume that you are using argus-clients-3.0.3.x clients.
Argus doesn't make any determination regarding flow source or destination, this is all done
in the clients.  

If you read data using any of the ra* programs, they have an opportunity to
'correct' a flow record for direction, and we do have some logic for TCP traffic.
If we haven't seen the syn or the synack, we test the source and destination ports to
see if the src is in the IPPORT_RESERVED range, 1-1024, and the dst port is above it.
If so, if the sport is not ftp-data, and there is an entry in the /etc/services file for the sport
value, so its an identified service port, we'll reverse the direction of the record.

Does that seem useful, or do you see a problem?

Carter


On Jul 14, 2010, at 4:43 PM, Michael Sanderson wrote:

> I'm experiencing some slight differences in the results of raports, depending upon how I run it.
> 
> I rotate my logs every 15 minutes and do some post processing.
> 
> 1)  raports -r data.2010.07.12-00:* - host 10.91.129.8
> ...
> 10.91.129.8 tcp: (2) 2049, 39813
> 10.91.129.8 udp: (3) 769, 789, 824
> ...
> 
> 2) ra -r data.2010.07.12-00:* -w d10.91.129.8 - host 10.91.129.8
>   raports -r d10.91.129.8
> ...
> 10.91.129.8 tcp: (1) 2049
> 10.91.129.8 udp: (3) 769, 789, 824
> ...
> 
> 3) racluster -r data.2010.07.12-00:* -w clustered.2010.07.12-00
>   raports -r clustered.2010.07.12-00 - host 10.91.129.8
> ...
> 10.91.129.8 tcp: (1) 2049
> 10.91.129.8 udp: (3) 769, 789, 824
> ...
> 
> raports on the original data files is suggesting that 10.91.129.8 port 39813 is a destination.  raports on processed files is suggesting it is a source.  Looking at the flows from the original data files for 10.91.129.8 port 39813 shows that direction wasn't determined.
> 
> 10/07/11 23:49:23  M         tcp        10.91.129.8.39813    <?> a.b.c.d.netbio        2        126   CON
> 
> Looking at the processed files (d10.91.129.8 and clustered.2010.07.12-00) via ra, they also so that the direction was not determined.
> 
> What is happening with the processed files that convinces raports that 10.91.129.8 port 39813 is a source, not a destination?  In this particular case it is right, but I'm curious how it is getting it right.
> 
>    Michael Sanderson
> 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100715/5714a950/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100715/5714a950/attachment.bin>


More information about the argus mailing list