Forced obfuscation in user data?

elof2 at sentor.se elof2 at sentor.se
Tue Jan 17 04:29:36 EST 2012 

Ah, an undocumented feature.
-x solved it. Thanks.

BTW, in my logs I found a bunch of plaintext passwords even when not using 
-x. Apparently you only obfuscate the first PASS in a session.
In sessions where the first login attempt(s) fail, ra will reveal the 
password of the second and later attempts.

<- Welcome-banner
-> USER foo PASS bar1
<- Login incorrect
-> USER foo PASS bar!
<- Login successful

suser data printed by ra (without -x) show:
s[42]=USER foo..PASS xxxx..USER foo..PASS bar!..
                      ^^^^                 ^^^^
while ra -x reveal both passwords:
s[42]=USER foo..PASS bar1..USER foo..PASS bar!..

/Elof


On Mon, 16 Jan 2012, Carter Bullard wrote:

> Hey /Elof,
> Yes, that was a request.  The obfuscation is done in the ascii printer in the clients.
> If you use the "-x" option, it will print them out.
>
> Carter
>
> On Jan 16, 2012, at 11:07 AM, elof2 at sentor.se wrote:
>
>>
>> I just looked at the suser data in my argus logfile.
>> It appears that argus is obfuscating the data even though I'm not asking for it.
>>
>> ra -s suser:120 -r argus.log - dst host 2.2.2.2 and dst port 21
>> s[116]=USER myloginname..PASS xxxxxxxxx..CWD /foo/bar..TYPE I..PASV..STOR gazonk.pdf..QUIT..
>>
>> The FTP password I entered was "foobar", not "xxxxxxxxx".
>> Somewhere, all FTP passwords are being obfuscated into "xxxxxxxxx".
>>
>>
>> 1.
>> Is the obfuscation done in argus (i.e. the logfile never even contain the true password) or is it done in ra?
>>
>> 2.
>> Can this be turned off? I need the true data for evidence.
>>
>> 3.
>> If the obfuscation is performed in argus, won't this introduce a slight performance penalty? ...a few cpu cycles are wasted verifying if the current packet need to be obfuscated, and if so, obfuscate it.
>>
>>
>>
>> My argus.conf:
>> ARGUS_MONITOR_ID=1.2.3.4
>> ARGUS_INTERFACE=mon0
>> ARGUS_OUTPUT_FILE=/foo/log/out.log
>> ARGUS_DAEMON=yes
>> ARGUS_ACCESS_PORT=0
>> ARGUS_GENERATE_MAC_DATA=yes
>> ARGUS_CAPTURE_DATA_LEN=120
>> ARGUS_FILTER=""
>>
>> My ra command:
>> ra -s suser:120 -r argus.log - dst host 2.2.2.2 and dst port 21
>>
>> /Elof
>
>

More information about the argus mailing list