Argus-info Digest, Vol 77, Issue 14

Chas DiFatta chas at difatta.org
Thu Jan 19 11:37:18 EST 2012


I second Jason's comment.  Client apps like rastrip and ranonymize can easily accommodate the functionality of the flow analysis workflow.

There "might" be a need for yet another experimental client called "rased" or "raregex" who's functionality is obvious.

Even without capturing any of the user/application data, what one can discover/imply can be a real eye opener as we all know, and therefore requires anyone using Argus data to take a serious look at the data management policy of their organization, which includes data orchestration methods.

	...cd

On Jan 19, 2012, at 11:14 AM, Jason Carr wrote:

> I'd vote for swapping the behavior or eliminating the feature all
> together.  I tend to want the user data in an untouched state.  If I need
> to display or share data, I will manually hide the credentials or
> sensitive data.
> 
> On 1/18/12 6:58 PM, "Carter Bullard" <carter at qosient.com> wrote:
> 
>> OK, the count is now  2 - 2.  The issue is valid, that we should not set
>> incorrect expectations.  We could print a warning to stderr, that ra.1
>> obfuscated content?
>> 
>> Carter
>> 
>> 
>> On Jan 18, 2012, at 6:21 AM, elof2 at sentor.se wrote:
>> 
>>> 
>>> First I thought like CS Lee, that it was backwards to obfuscate without
>>> asking for it on the commandline. That's why I reported it to the list
>>> in the first place.
>>> 
>>> Though, once Carter explained that the default was to obfuscate, to
>>> protect and prevent from accidental copy and paste of sensitive data
>>> into e.g. an email, I changed my mind.
>>> That is a cheap and simple protection from human mistakes that can get
>>> really embarrising/awkward if one paste the wrong data to e.g. a
>>> mailinglist.
>>> 
>>> So I vote for the Carter approach. Obfuscate in the clients by default
>>> and use -x to reveal the real data.
>>> 
>>> The real problem is that this was an undocumented feature. Once it's a
>>> known default (the new man pages), I only see benefits with the default
>>> obfuscation.
>>> 
>>> 
>>> Regarding that there are sensitive data in the binary argus file... It
>>> contain so much sensitive data that I always treat it as highly
>>> sensitive.
>>> I would think three or four times before sending an argus-logfile to
>>> e.g. a mailinglist, while a simple copy and paste of some ra output
>>> could possibly slip by.
>>> 
>>> /Elof
>>> 
>>> 
>>> On Tue, 17 Jan 2012, Carter Bullard wrote:
>>> 
>>>> Hey Dave,
>>>> Hmmmmm, I can buy this logic, and I'm not against a change.   So 2 - 1
>>>> for swapping the -x behavior.
>>>> 
>>>> Any counter arguments ?
>>>> Carter
>>>> 
>>>> On Jan 17, 2012, at 9:34 PM, Dave Edelman <dedelman at iname.com> wrote:
>>>> 
>>>>> I have to agree with CS Lee. I think the major problem here is that
>>>>> the file contains authentication credentials in clear text. As long as
>>>>> the clients obfuscate this information is provides a false sense of
>>>>> security since it is not obvious that the clear text is stored in the
>>>>> data and is trivially retrievable.
>>>>> 
>>>>> The logical next step is to craft a client that actually overwrites
>>>>> sensitive data in the argus output files and that can be used inline
>>>>> w ­ or  to produce a new file with ­w defanged.out
>>>>> 
>>>>> 
>>>>> (You did ask J )
>>>>> 
>>>>> --Dave
>>>>> 
>>>>> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
>>>>> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
>>>>> Behalf Of Carter Bullard
>>>>> Sent: Tuesday, January 17, 2012 5:15 PM
>>>>> To: CS Lee
>>>>> Cc: argus-info at lists.andrew.cmu.edu
>>>>> Subject: Re: [ARGUS] Argus-info Digest, Vol 77, Issue 14
>>>>> 
>>>>> Hey CS Lee,
>>>>> Not sure that would provide any help to avoid unintentional
>>>>> disclosure.  Default behavior, I think, should provide some protection
>>>>> ?  Any other opinions ?  Seems we have a tie ?
>>>>> Best
>>>>> 
>>>>> Carter
>>>>> 
>>>>> 
>>>>> , CS Lee <geek00l at gmail.com> wrote:
>>>>> 
>>>>> hi Carter,
>>>>> 
>>>>> My thought on this one - the password obfuscation.
>>>>> 
>>>>> I would rather have default argus client print out the password
>>>>> without -x option, and with -x option it will obfuscate when printing
>>>>> the user data. That way new comers won't be confusing when they first
>>>>> use argus client. Since you already mentioned underlying data won't be
>>>>> changed anyway, so by default argus client should print generic data
>>>>> and with -x option the passwords will be obfuscated.
>>>>> 
>>>>> Cheers!
>>>>> 
>>>>> On Wed, Jan 18, 2012 at 1:00 AM,
>>>>> <argus-info-request at lists.andrew.cmu.edu> wrote:
>>>>> Send Argus-info mailing list submissions to
>>>>>      argus-info at lists.andrew.cmu.edu
>>>>> 
>>>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>>>      https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>>>>> or, via email, send a message with subject or body 'help' to
>>>>>      argus-info-request at lists.andrew.cmu.edu
>>>>> 
>>>>> You can reach the person managing the list at
>>>>>      argus-info-owner at lists.andrew.cmu.edu
>>>>> 
>>>>> When replying, please edit your Subject line so it is more specific
>>>>> than "Re: Contents of Argus-info digest..."
>>>>> 
>>>>> 
>>>>> Today's Topics:
>>>>> 
>>>>> 1. Re:  Forced obfuscation in user data? (elof2 at sentor.se)
>>>>> 2. Re:  Forced obfuscation in user data? (Carter Bullard)
>>>>> 
>>>>> 
>>>>> ----------------------------------------------------------------------
>>>>> 
>>>>> Message: 1
>>>>> Date: Tue, 17 Jan 2012 15:31:27 +0100 (CET)
>>>>> From: elof2 at sentor.se
>>>>> Subject: Re: [ARGUS] Forced obfuscation in user data?
>>>>> To: Argus Development <argus-info at lists.andrew.cmu.edu>
>>>>> Message-ID:
>>>>>      <alpine.BSF.2.00.1201171530410.75104 at deliverator.sentor.se>
>>>>> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>>>>> 
>>>>> Sounds great!
>>>>> 
>>>>> I'm just curious, what passwords (i.e. what protocols and services (or
>>>>> patterns?)) will the ra-clients hide?
>>>>> 
>>>>> FTP passwords obviously.
>>>>> 
>>>>> /Elof
>>>>> 
>>>>> On Tue, 17 Jan 2012, Carter Bullard wrote:
>>>>> 
>>>>>> Hey \Elof2,
>>>>>> OK, I fixed the bug so we're consistent in the effort, (replace an '
>>>>>> if ' with a ' while ')
>>>>>> and I documented the feature in the rarc.5 man page, and I've
>>>>>> documented
>>>>>> the -x option in the ra.1 man page.
>>>>>> 
>>>>>> Just a note.  This 'feature' is there simply as a safety, so that
>>>>>> the casual
>>>>>> user doesn't inadvertently leak captured passwords.  Its not
>>>>>> intended as
>>>>>> a real protection strategy.   On the contrary, being able to recover
>>>>>> clear
>>>>>> text passwords is a good security strategy.  Since they are a bad
>>>>>> idea,
>>>>>> being able to detect them on the wire is the only way to enforce the
>>>>>> policy.
>>>>>> 
>>>>>> Thanks !!!!!!!
>>>>>> 
>>>>>> Carter
>>>>>> 
>>>>>> On Jan 17, 2012, at 7:48 AM, Carter Bullard wrote:
>>>>>> 
>>>>>>> Hmmm, thanks, I'll fix that on this next round of clients.
>>>>>>> Carter
>>>>>>> 
>>>>>>> On Jan 17, 2012, at 4:29 AM, elof2 at sentor.se wrote:
>>>>>>> 
>>>>>>>> 
>>>>>>>> Ah, an undocumented feature.
>>>>>>>> -x solved it. Thanks.
>>>>>>>> 
>>>>>>>> BTW, in my logs I found a bunch of plaintext passwords even when
>>>>>>>> not using -x. Apparently you only obfuscate the first PASS in a
>>>>>>>> session.
>>>>>>>> In sessions where the first login attempt(s) fail, ra will reveal
>>>>>>>> the password of the second and later attempts.
>>>>>>>> 
>>>>>>>> <- Welcome-banner
>>>>>>>> -> USER foo PASS bar1
>>>>>>>> <- Login incorrect
>>>>>>>> -> USER foo PASS bar!
>>>>>>>> <- Login successful
>>>>>>>> 
>>>>>>>> suser data printed by ra (without -x) show:
>>>>>>>> s[42]=USER foo..PASS xxxx..USER foo..PASS bar!..
>>>>>>>>                  ^^^^                 ^^^^
>>>>>>>> while ra -x reveal both passwords:
>>>>>>>> s[42]=USER foo..PASS bar1..USER foo..PASS bar!..
>>>>>>>> 
>>>>>>>> /Elof
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On Mon, 16 Jan 2012, Carter Bullard wrote:
>>>>>>>> 
>>>>>>>>> Hey /Elof,
>>>>>>>>> Yes, that was a request.  The obfuscation is done in the ascii
>>>>>>>>> printer in the clients.
>>>>>>>>> If you use the "-x" option, it will print them out.
>>>>>>>>> 
>>>>>>>>> Carter
>>>>>>>>> 
>>>>>>>>> On Jan 16, 2012, at 11:07 AM, elof2 at sentor.se wrote:
>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> I just looked at the suser data in my argus logfile.
>>>>>>>>>> It appears that argus is obfuscating the data even though I'm
>>>>>>>>>> not asking for it.
>>>>>>>>>> 
>>>>>>>>>> ra -s suser:120 -r argus.log - dst host 2.2.2.2 and dst port 21
>>>>>>>>>> s[116]=USER myloginname..PASS xxxxxxxxx..CWD /foo/bar..TYPE
>>>>>>>>>> I..PASV..STOR gazonk.pdf..QUIT..
>>>>>>>>>> 
>>>>>>>>>> The FTP password I entered was "foobar", not "xxxxxxxxx".
>>>>>>>>>> Somewhere, all FTP passwords are being obfuscated into
>>>>>>>>>> "xxxxxxxxx".
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 1.
>>>>>>>>>> Is the obfuscation done in argus (i.e. the logfile never even
>>>>>>>>>> contain the true password) or is it done in ra?
>>>>>>>>>> 
>>>>>>>>>> 2.
>>>>>>>>>> Can this be turned off? I need the true data for evidence.
>>>>>>>>>> 
>>>>>>>>>> 3.
>>>>>>>>>> If the obfuscation is performed in argus, won't this introduce a
>>>>>>>>>> slight performance penalty? ...a few cpu cycles are wasted
>>>>>>>>>> verifying if the current packet need to be obfuscated, and if so,
>>>>>>>>>> obfuscate it.
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> My argus.conf:
>>>>>>>>>> ARGUS_MONITOR_ID=1.2.3.4
>>>>>>>>>> ARGUS_INTERFACE=mon0
>>>>>>>>>> ARGUS_OUTPUT_FILE=/foo/log/out.log
>>>>>>>>>> ARGUS_DAEMON=yes
>>>>>>>>>> ARGUS_ACCESS_PORT=0
>>>>>>>>>> ARGUS_GENERATE_MAC_DATA=yes
>>>>>>>>>> ARGUS_CAPTURE_DATA_LEN=120
>>>>>>>>>> ARGUS_FILTER=""
>>>>>>>>>> 
>>>>>>>>>> My ra command:
>>>>>>>>>> ra -s suser:120 -r argus.log - dst host 2.2.2.2 and dst port 21
>>>>>>>>>> 
>>>>>>>>>> /Elof
>>>>>>>>> 
>>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>>> 
>>>>> ------------------------------
>>>>> 
>>>>> Message: 2
>>>>> Date: Tue, 17 Jan 2012 09:36:58 -0500
>>>>> From: Carter Bullard <carter at qosient.com>
>>>>> Subject: Re: [ARGUS] Forced obfuscation in user data?
>>>>> To: "Martin Olsson" <martin.olsson at sentor.se>
>>>>> Cc: 'Argus Development' <argus-info at lists.andrew.cmu.edu>
>>>>> Message-ID: <2FC2A2F9-C20F-4999-B6DD-A31F47D19BC3 at qosient.com>
>>>>> Content-Type: text/plain; charset="us-ascii"
>>>>> 
>>>>> Oh, the algorithm is trivial, and if there are other situations, I
>>>>> will add.
>>>>> We just look for "PASS", and anything that is printable after that,
>>>>> unto
>>>>> a '\cr' or a '.', we'll put an 'x' in its place.   (yes not perfect,
>>>>> but fast and
>>>>> it works for the most part).
>>>>> 
>>>>> This is only when we printout the buffer.  We never change the actual
>>>>> capture data in the argus record.   As a result, we don't exclude the
>>>>> text while you "grep" the buffers.  So you could match a record user
>>>>> buffer,
>>>>> because your pattern is in someone's password, and when you go to
>>>>> print it out, you may not see it in the output.  Not sure what to do
>>>>> with
>>>>> that, but its a side effect of what we're doing.
>>>>> 
>>>>> Carter
>>>>> 
>>>>> 
>>>>> On Jan 17, 2012, at 9:29 AM, Martin Olsson wrote:
>>>>> 
>>>>>> Sounds great!
>>>>>> 
>>>>>> I'm just curious, what passwords (i.e. what protocols and services
>>>>>> (or
>>>>>> patterns?)) will the ra-clients hide?
>>>>>> 
>>>>>> FTP passwords obviously.
>>>>>> 
>>>>>> /Elof
>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: Carter Bullard [mailto:carter at qosient.com]
>>>>>>> Sent: Tuesday, January 17, 2012 3:22 PM
>>>>>>> To: elof2 at sentor.se
>>>>>>> Cc: Argus Development
>>>>>>> Subject: Re: [ARGUS] Forced obfuscation in user data?
>>>>>>> 
>>>>>>> Hey \Elof2,
>>>>>>> OK, I fixed the bug so we're consistent in the effort, (replace an
>>>>>>> ' if '
>>>>>>> with a ' while ')
>>>>>>> and I documented the feature in the rarc.5 man page, and I've
>>>>>>> documented
>>>>>>> the -x option in the ra.1 man page.
>>>>>>> 
>>>>>>> Just a note.  This 'feature' is there simply as a safety, so that
>>>>>>> the
>>>>>>> casual
>>>>>>> user doesn't inadvertently leak captured passwords.  Its not
>>>>>>> intended as
>>>>>>> a real protection strategy.   On the contrary, being able to
>>>>>>> recover clear
>>>>>>> text passwords is a good security strategy.  Since they are a bad
>>>>>>> idea,
>>>>>>> being able to detect them on the wire is the only way to enforce the
>>>>>>> policy.
>>>>>>> 
>>>>>>> Thanks !!!!!!!
>>>>>>> 
>>>>>>> Carter
>>>>>>> 
>>>>>>> On Jan 17, 2012, at 7:48 AM, Carter Bullard wrote:
>>>>>>> 
>>>>>>>> Hmmm, thanks, I'll fix that on this next round of clients.
>>>>>>>> Carter
>>>>>>>> 
>>>>>>>> On Jan 17, 2012, at 4:29 AM, elof2 at sentor.se wrote:
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Ah, an undocumented feature.
>>>>>>>>> -x solved it. Thanks.
>>>>>>>>> 
>>>>>>>>> BTW, in my logs I found a bunch of plaintext passwords even when
>>>>>>>>> not
>>>>>>> using -x. Apparently you only obfuscate the first PASS in a session.
>>>>>>>>> In sessions where the first login attempt(s) fail, ra will reveal
>>>>>>>>> the
>>>>>>> password of the second and later attempts.
>>>>>>>>> 
>>>>>>>>> <- Welcome-banner
>>>>>>>>> -> USER foo PASS bar1
>>>>>>>>> <- Login incorrect
>>>>>>>>> -> USER foo PASS bar!
>>>>>>>>> <- Login successful
>>>>>>>>> 
>>>>>>>>> suser data printed by ra (without -x) show:
>>>>>>>>> s[42]=USER foo..PASS xxxx..USER foo..PASS bar!..
>>>>>>>>>                 ^^^^                 ^^^^
>>>>>>>>> while ra -x reveal both passwords:
>>>>>>>>> s[42]=USER foo..PASS bar1..USER foo..PASS bar!..
>>>>>>>>> 
>>>>>>>>> /Elof
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On Mon, 16 Jan 2012, Carter Bullard wrote:
>>>>>>>>> 
>>>>>>>>>> Hey /Elof,
>>>>>>>>>> Yes, that was a request.  The obfuscation is done in the ascii
>>>>>>>>>> printer
>>>>>>> in the clients.
>>>>>>>>>> If you use the "-x" option, it will print them out.
>>>>>>>>>> 
>>>>>>>>>> Carter
>>>>>>>>>> 
>>>>>>>>>> On Jan 16, 2012, at 11:07 AM, elof2 at sentor.se wrote:
>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> I just looked at the suser data in my argus logfile.
>>>>>>>>>>> It appears that argus is obfuscating the data even though I'm
>>>>>>>>>>> not
>>>>>>> asking for it.
>>>>>>>>>>> 
>>>>>>>>>>> ra -s suser:120 -r argus.log - dst host 2.2.2.2 and dst port 21
>>>>>>>>>>> s[116]=USER myloginname..PASS xxxxxxxxx..CWD /foo/bar..TYPE
>>>>>>> I..PASV..STOR gazonk.pdf..QUIT..
>>>>>>>>>>> 
>>>>>>>>>>> The FTP password I entered was "foobar", not "xxxxxxxxx".
>>>>>>>>>>> Somewhere, all FTP passwords are being obfuscated into
>>>>>>>>>>> "xxxxxxxxx".
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 1.
>>>>>>>>>>> Is the obfuscation done in argus (i.e. the logfile never even
>>>>>>>>>>> contain
>>>>>>> the true password) or is it done in ra?
>>>>>>>>>>> 
>>>>>>>>>>> 2.
>>>>>>>>>>> Can this be turned off? I need the true data for evidence.
>>>>>>>>>>> 
>>>>>>>>>>> 3.
>>>>>>>>>>> If the obfuscation is performed in argus, won't this introduce a
>>>>>>> slight performance penalty? ...a few cpu cycles are wasted
>>>>>>> verifying if
>>>>>>> the current packet need to be obfuscated, and if so, obfuscate it.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> My argus.conf:
>>>>>>>>>>> ARGUS_MONITOR_ID=1.2.3.4
>>>>>>>>>>> ARGUS_INTERFACE=mon0
>>>>>>>>>>> ARGUS_OUTPUT_FILE=/foo/log/out.log
>>>>>>>>>>> ARGUS_DAEMON=yes
>>>>>>>>>>> ARGUS_ACCESS_PORT=0
>>>>>>>>>>> ARGUS_GENERATE_MAC_DATA=yes
>>>>>>>>>>> ARGUS_CAPTURE_DATA_LEN=120
>>>>>>>>>>> ARGUS_FILTER=""
>>>>>>>>>>> 
>>>>>>>>>>> My ra command:
>>>>>>>>>>> ra -s suser:120 -r argus.log - dst host 2.2.2.2 and dst port 21
>>>>>>>>>>> 
>>>>>>>>>>> /Elof
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>>> 
>>>>> -------------- next part --------------
>>>>> A non-text attachment was scrubbed...
>>>>> Name: smime.p7s
>>>>> Type: application/pkcs7-signature
>>>>> Size: 4367 bytes
>>>>> Desc: not available
>>>>> Url : 
>>>>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/201
>>>>> 20117/8e918136/attachment-0001.bin
>>>>> 
>>>>> ------------------------------
>>>>> 
>>>>> _______________________________________________
>>>>> Argus-info mailing list
>>>>> Argus-info at lists.andrew.cmu.edu
>>>>> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>>>>> 
>>>>> 
>>>>> End of Argus-info Digest, Vol 77, Issue 14
>>>>> ******************************************
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> Best Regards,
>>>>> 
>>>>> CS Lee<geek00L[at]gmail.com>
>>>>> 
>>>>> http://geek00l.blogspot.com
>>>>> http://defcraft.net
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4363 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120119/e45251c6/attachment.bin>


More information about the argus mailing list