Forced obfuscation in user data?
elof2 at sentor.se
elof2 at sentor.se
Mon Jan 16 11:07:15 EST 2012
I just looked at the suser data in my argus logfile.
It appears that argus is obfuscating the data even though I'm not asking
for it.
ra -s suser:120 -r argus.log - dst host 2.2.2.2 and dst port 21
s[116]=USER myloginname..PASS xxxxxxxxx..CWD /foo/bar..TYPE I..PASV..STOR gazonk.pdf..QUIT..
The FTP password I entered was "foobar", not "xxxxxxxxx".
Somewhere, all FTP passwords are being obfuscated into "xxxxxxxxx".
1.
Is the obfuscation done in argus (i.e. the logfile never even contain the
true password) or is it done in ra?
2.
Can this be turned off? I need the true data for evidence.
3.
If the obfuscation is performed in argus, won't this introduce a slight
performance penalty? ...a few cpu cycles are wasted verifying if the
current packet need to be obfuscated, and if so, obfuscate it.
My argus.conf:
ARGUS_MONITOR_ID=1.2.3.4
ARGUS_INTERFACE=mon0
ARGUS_OUTPUT_FILE=/foo/log/out.log
ARGUS_DAEMON=yes
ARGUS_ACCESS_PORT=0
ARGUS_GENERATE_MAC_DATA=yes
ARGUS_CAPTURE_DATA_LEN=120
ARGUS_FILTER=""
My ra command:
ra -s suser:120 -r argus.log - dst host 2.2.2.2 and dst port 21
/Elof
More information about the argus
mailing list