[argus]how can i get all the tcp syn request

carter at qosient.com carter at qosient.com
Wed Sep 8 07:47:05 EDT 2010 

Hey shallwe19,
The data is correct but possibly not the format you want in the "State" attribute.  To use a SQL query to find records that saw the Syn or SynAck, you have to 'expose' some field that represents the flags semantic in the SQL table, and there are a number of ways to do that.

If you used rasqlinsert() to put the data into mysql, the complete binary flow record is inserted into the table as a "binary BLOB", which rasql() can then use.
There is the "-M sql='where predicate'" which allows you to use the DB engine to do some of the filtering.
Assuming you used the default schema that has the "proto" and "dir" fields and you inserted 'primitive' data (unmodified records direct from an argus sensor)

  rasql -r mysql://user@localhost/db/table -M sql="proto='tcp' and dir='->'" -w - | racluster -z

could work.

This will create the SQL statement:
   SELECT record FROM db.table WHERE proto='tcp' and dir='->';

(rasqlinsert() puts the binary argus record in the "record" attribute.)

Matching records can then be filtered using a conventional ra* filter. 

    rasql -r mysql://user@localhost/db/table -M sql="proto='tcp' and dir='->'" - not reset 

This may seem complex, but its really straight forward.  Use SQL to find tcp records that have the dir field showing that we saw either the syn or synack.  SQL will return a lot of records, and rasql() will sequentially filter matches using a filter that SQL can't perform, such as looking for SYN RST volleys.

Glad you like your iPhone. Is it a 4?

Carter 


Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "shallwe19" <shallwe19 at gmail.com>
Date: Wed, 8 Sep 2010 10:16:20 
To: carter<carter at qosient.com>; Paul Schmehl<pschmehl_lists at tx.rr.com>
Cc: Argus<argus-info at lists.andrew.cmu.edu>
Subject: Re: Re: Re: [ARGUS] [argus]how can i get all the tcp syn request

OK , does it meen that the data in mysql is not correct , the output of rasql is the real package ?

Thank you very much ,I will have a try.

By the way ,compared to blackberry ,I prefer iphone.


2010-09-08 



shallwe19 



发件人: carter 
发送时间: 2010-09-07  19:58:17 
收件人: shallwe19; Paul Schmehl 
抄送: Argus 
主题: Re: Re: [ARGUS] [argus]how can i get all the tcp syn request 
You should print the records to stdout and visually inspect what will go into the DB, so that you can understand how to query the data. The "-Z" option will change the format of the "state" field to expose some of the state, and you can also print the stcpflags, and dtcpflags, if that is important.

You can find all the records you are looking for with rasql(), but the performance will not be optimal, as rasql() will be doing the fltering.

Carter 


Sent from my Verizon Wireless BlackBerry



From: "shallwe19" <shallwe19 at gmail.com> 
Date: Tue, 7 Sep 2010 18:10:22 +0800
To: Carter Bullard<carter at qosient.com>; Paul Schmehl<pschmehl_lists at tx.rr.com>
Cc: argus-info<argus-info at lists.andrew.cmu.edu>
Subject: Re: Re: [ARGUS] [argus]how can i get all the tcp syn request


Thanks for your help ,but it seems the problem have not been solved.

All the data of argus is stored in  mysql database, I want to get all the syn packages from the mysql database .
I take a test, I did a syn scan at a host(192.168.11.25)  with NMAP  using -sS options in another host(192.168.19.14) .  At the same time, using  tcpdump in the target host ,I see all the package are syn package , but in the mysql db ,i see all the package are marked with RST. Is there any mistake of argus when it put the data to mysql.


There are the output of tcpdumo below.

01:14:32.215260 IP 192.168.19.14.54903 > 192.168.11.25.19101: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215261 IP 192.168.19.14.54903 > 192.168.11.25.427: S 878641122:878641122(0) win 3072 <mss 1460>
01:14:32.215307 IP 192.168.19.14.54903 > 192.168.11.25.10012: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215414 IP 192.168.19.14.54903 > 192.168.11.25.9009: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215460 IP 192.168.19.14.54903 > 192.168.11.25.19101: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215544 IP 192.168.19.14.54903 > 192.168.11.25.4445: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215607 IP 192.168.19.14.54903 > 192.168.11.25.3869: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215683 IP 192.168.19.14.54903 > 192.168.11.25.10012: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215746 IP 192.168.19.14.54903 > 192.168.11.25.4445: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215747 IP 192.168.19.14.54903 > 192.168.11.25.992: S 878641122:878641122(0) win 3072 <mss 1460>
01:14:32.215801 IP 192.168.19.14.54903 > 192.168.11.25.543: S 878641122:878641122(0) win 2048 <mss 1460>


There is the output image  from the mysql database below ,if you do not see the image ,you can see  it in the attachment.




Is there any way can I get all the syn package from the mysql db ?  Thank you all very much !

2010-09-07 



shallwe19 



发件人: Carter Bullard 
发送时间: 2010-09-04  04:29:06 
收件人: Paul Schmehl 
抄送: shallwe19; argus-info 
主题: Re: [ARGUS] [argus]how can i get all the tcp syn request 
Hey Guys,
To get just tcp flows that had the syn:
   ra -ZS xxx - syn
To get tcp flows that had the syn or the synack argus states:
   ra -ZS xxx - syn or synack
To get flows that had tcp flags ack and push:
   ra - ack and push
The "Z" flag by itself just modifies how the "state" field is printed.
Carter
On Sep 3, 2010, at 3:11 PM, Paul Schmehl wrote:
> --On Friday, September 03, 2010 14:44:37 +0800 shallwe19 <shallwe19 at gmail.com> wrote:
> 
>> 
>> sorry to interrupt you ,but will anybody tell me ,how can i get all the tcp
>> syn request .
>> it seems ,when i run " ra -ZS xxx",i got some udp request
>> 
>> anyone can help me ?
> 
> ra -Zs xxx"
> 
> -- 
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100908/7994accd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Catch16(09-08-10-14-24).jpg
Type: image/jpeg
Size: 464473 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100908/7994accd/attachment.jpg>

More information about the argus mailing list