Search filter, UDP, INT/CON, primitives + exit status

Carter Bullard carter at qosient.com
Fri May 6 09:27:45 EDT 2011 

Hey /Elof,
So when you are looking at state indicators, using the -Z option, you can pick those out using filters, like you describe.
If not that should be a bug and I'll fix.
The Z option prints out tcp flags, and we have support to pick out specific TCP flags using filters like:
   src fin and not dst ack

Mein-Ting:~ carter$ ra -b - src fin and not dst ack
(000) ldb      dsr[1][2]
(001) and      #31
(002) jeq      #0x1             jt 3	jf 5
(003) ldb      dsr[1][12]
(004) jeq      #0x6             jt 8	jf 23
(005) jeq      #0x2             jt 6	jf 23
(006) ldb      dsr[1][39]
(007) jeq      #0x6             jt 8	jf 23
(008) ldb      dsr[5][70]
(009) and      #1
(010) jeq      #0x1             jt 11	jf 23
(011) ldb      dsr[1][2]
(012) and      #31
(013) jeq      #0x1             jt 14	jf 16
(014) ldb      dsr[1][12]
(015) jeq      #0x6             jt 19	jf 22
(016) jeq      #0x2             jt 17	jf 22
(017) ldb      dsr[1][39]
(018) jeq      #0x6             jt 19	jf 22
(019) ldb      dsr[5][118]
(020) and      #16
(021) jeq      #0x10            jt 23	jf 22
(022) ret      #96
(023) ret      #0

here you will look for flags in both IPv4 and IPv6 flows.  if you specify the ipv4 you get a much smaller filter:

Mein-Ting:~ carter$ ra -b - ipv4 and src fin and not dst ack
(000) ldb      dsr[1][2]
(001) and      #31
(002) jeq      #0x1             jt 3	jf 12
(003) ldb      dsr[1][12]
(004) jeq      #0x6             jt 5	jf 12
(005) ldb      dsr[5][70]
(006) and      #1
(007) jeq      #0x1             jt 8	jf 12
(008) ldb      dsr[5][118]
(009) and      #16
(010) jeq      #0x10            jt 12	jf 11
(011) ret      #96
(012) ret      #0


But for argus state indicators, like 'est', 'con', 'init', 'synack', these are conditions of the flow, and don't have direction.
So this should work:

   ra -b - ipv4 and tcp and est and not dst fin

Mein-Ting:~ carter$ ra -b - ipv4 and tcp and est and not dst fin
(000) ldb      dsr[1][2]
(001) and      #31
(002) jeq      #0x1             jt 3	jf 12
(003) ldb      dsr[1][12]
(004) jeq      #0x6             jt 5	jf 12
(005) ld       dsr[5][4]
(006) and      #4
(007) jeq      #0x4             jt 8	jf 12
(008) ldb      dsr[5][118]
(009) and      #1
(010) jeq      #0x1             jt 12	jf 11
(011) ret      #96
(012) ret      #0

So you can do what you want, assuming not bugs, but take the 'src' and 'dst' off of keywords like est, and things should work.
I'll work on the return code this weekend.

Carter

On May 4, 2011, at 6:30 AM, elof2 at sentor.se wrote:

> 
> Regarding search filters and primitives...
> 
> I would like the possibility to use all the filter primitives on a per flow-direction basis, like "src est", "src syn" or "dst synack".
> 
> 
> Some examples of how I'd like to be able to match:
> "PA_PA" - src push and src ack and not src syn and not src fin and not src reset and dst push and dst ack and not dst syn and not dst fin and not dst
> reset
> 
> "FSPA_" - src est and not dst est (detect incorrect SPAN setup where only
>                                 one direction of the traffic is mirrored)
> "_FSPA" - not src est and dst est (detect incorrect SPAN setup)
> 
> "*R_SPA*" - src est and src reset and dst est (detect connections that are reset (RST) by the client rather than terminated using FIN)
> 
> ...and so on. Currently, this kind of detailed granularity can't be achieved internally in ra, so I have to use an external command like grep.
> 
> 
> 
> 
> If the ra* tools also set an exit status depending on if there were any match or not, that would be fantastic! Then you could use something like this:
> 
> if ra -r huge_argus.log -qN1 - port 12345; then
>  echo "Yes, port 12345 exist"
> else
>  echo "Nope, no port 12345 in huge_argus.log"
> fi
> 
> /Elof
> 
> 
> On Mon, 2 May 2011, Jesper Skou Jensen wrote:
> 
>> Excellent, it works Carter.
>> 
>> Thank you for the help.
>> 
>> 
>> -- 
>> 
>> Jesper S. Jensen
>> UNI-C - Århus, Danmark
>> 
>> On 29-04-2011 18:12, Carter Bullard wrote:
>>> Hey gentle people,
>>> OK, so I have fixed the 'con' filter item, and 'init' is now equivalent to 'start'.
>>> There is some cleanup work to do on all these states, so if you see something that is amiss,
>>> don't hesitate to send to the list.
>>> This has uncovered a bug in argus, however.  argus() is reporting most records as 'status',
>>> even thought they may be starting records or status records.  Which means, that currently,
>>> some argus data is incomplete, and I have a bug to fix in argus().
>>> The clients should be fine now.
>>> I'll upload new client software in an hour or so.
>>> Carter
>>

More information about the argus mailing list