Auditing Network activity : Argus to help to prepare a Firewall Flow Matrix

Carter Bullard carter at qosient.com
Fri Feb 25 09:01:39 EST 2011 

Hey Stéph,
All of these fields are described in the ra.1 man page, which we also provide as a pdf file in ./doc/pdf/man/man1/ra.1.pdf.
Take a look and if that doesn't help, send email again.

With regard to your filter problem where you are giving tcpdump filters to argus, but you're getting flows outside the subnets.
I don't use tcpdump filters with argus, as my approach is to use argus to provide comprehensive awareness on a link, and
then if I want to know about a subset of the data, I use ra* filters to get that data.  But that is just me.

I can only guess what might be happening, but a real possibility is that you have PPP or GRE like tunnels between these
subnets  and argus is tracking the IP flows within those tunnels.  The "*" in your "flgs" field indicates that you have
multiple IP encapsulations, so it is a possibility.

Try this:

   ra -r /var/tmp/traces-lab.argus - encaps gre

to see if you have GRE encapsulated data.  There is an undocumented print field that you can use:
   ra -r /var/tmp/traces-lab.argus -s +2senc +3denc
   
which will tell you which encapsulations were see on any given flow.

If none of this works for you, the only way to know what is happening with the pcap filter, is to collect packets using
tcpdump() using your filter, and then run argus against that packet file to see if you can find the possibly "errant" flows.
If that doesn't help, send more email.
   
Carter

On Feb 25, 2011, at 6:08 AM, arcangel at free.fr wrote:

> HI Carter, 
> 
> Thanks for your detailed answer. 
> I've started some tests with argus-3.0.3.22. 
> 
> As an "Argus beginner" I've trouble to understand the "summary network flow data" format used. 
> Did I miss some documentation ? 
> I understood - by using an rarc with RA_PRINT_LABELS=0 - that the default format, not clearly explained in the man-pages for -s ,  in use is :
> StartTime    Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State
> 
> What are the whole list of Flgs (e,s,r,U,*,i) / State (CON,REQ,FIN,ECO,INT,RST,TIM ...) values with explanations ? 
> 
> Concerning my filter problem your answer solved my issue : I now use 
> argus -w /var/tmp/traces-lab.argus -P 561 -i eth1.700 -d 'net  172.24.251 or net 172.24.252 or net 172.24.111'
> to just consider 3 subnets. 
> 
> However, I discovered some Argus infos about flows with devices outside these 3 subnets :
> ra -r  /var/tmp/traces-lab.argus    | grep  10.65  | grep -v 172.24  | tail 
> 
> 11:39:23.163358  *        sctp      10.162.82.190          <->       10.65.105.17               8        720   CON
> 11:39:27.780617  *        sctp      10.162.82.189          <->       10.65.105.17               8        720   CON
> 11:39:29.163261  *        sctp      10.162.82.190          <->       10.65.105.17              12       1136   CON
> 11:39:33.780702  *        sctp      10.162.82.189          <->       10.65.105.17              10        900   CON
> 11:39:35.163281  *        sctp      10.162.82.190          <->       10.65.105.17               8        720   CON
> 
> How is it ? 
> 
> I decided to split the Argus data stored on a daily basis using : 
> rasplit -r traces-lab.argus -M time 60m -w "/archive/%Y/%m/%d/argus.%H.%M.%S" 
> 
> I now need to play with racluster :)
> 
> Thanks,
> 
> Stéph
> 
> PS : 
> Without  libncurses5-dev installed on a test machine running Ubuntu 10.10, ratop cannot be build with the following errors :
> 
> make[1]: Entering directory
> `/media/data/SOFTWARE/linux/Argus/argus-clients-3.0.3.22/ratop'
> gcc -O3 -I. -I../include -I../common  -DHAVE_CONFIG_H -c ./ratop.c
> ./ratop.c:1204: error: expected identifier or '(' before '}' token
> ./ratop.c: In function 'RaHighlightDisplay':
> ./ratop.c:1228: error: 'RaWindowStartLine' undeclared (first use in
> this function)
> ./ratop.c:1228: error: (Each undeclared identifier is reported only once
> ./ratop.c:1228: error: for each function it appears in.)
> ./ratop.c:1228: error: 'RaDisplayLines' undeclared (first use in this function)
> ./ratop.c:1234: error: 'ArgusPrintRank' undeclared (first use in this function)
> ./ratop.c:1235: error: 'RaWindow' undeclared (first use in this function)
> ./ratop.c:1236: error: 'A_REVERSE' undeclared (first use in this function)
> make[1]: *** [ratop.o] Error 1
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110225/b7e1caa2/attachment.bin>

More information about the argus mailing list