Bug in direction?

Carter Bullard carter at qosient.com
Mon Jul 30 20:11:33 EDT 2012 

Hey Rafael,
Not sure that there is a bug.  We changed the simple rule of SYN or SYN_ACK
specifying the direction, because single SYN_ACK packets are used quite frequently
in scanning strategies.  So, if there are no other packets, and just SYN_ACK, we
leave the direction to indicate the source of the scan, because, more than likely
its a scan job?

Maybe we should put a ' ? ' in these cases? or we could put the arrow in the other
direction?  What do you think?

Carter

On Jul 27, 2012, at 9:19 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:

> Hi,
> 
> I may have fund a bug in the argus with respect to the direction of TCP connections. When only the SYN-ACK message is received in TCPs 3-way handshake (i.e., the SYN is missing), argus is setting the direction from server to client, instead of client to server.
> 
> Small example:
> $> tcpdump -r anon.pcap 
> reading from file anon.pcap, link-type EN10MB (Ethernet)
> 14:53:53.713258 IP 117.12.236.14.https > 117.69.107.235.1047: Flags [S.], seq 3044833418, ack 1678823480, win 5840, options [mss 1436,nop,nop,sackOK], length 0
> 14:56:03.341851 IP 117.12.236.14.https > 117.69.107.235.1042: Flags [S.], seq 3194374727, ack 2254352525, win 5840, options [mss 1436,nop,nop,sackOK], length 0
> 
> $> argus -r anon.pcap -w flows.argus
> $> ra -r flows.argus 
>    13:53:53.713258  *           tcp      117.12.236.14.https     ->     117.69.107.235.1047          1         66   ACC
>    13:56:03.341851  *           tcp      117.12.236.14.https     ->     117.69.107.235.1042          1         66   ACC
> 
> Using the latest stable version, argus-3.0.6.1.
> 
> Best regards,
> Rafael Barbosa
> http://www.ewi.utwente.nl/~barbosarr/
> 
> <anon.pcap>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120730/736e4bbb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120730/736e4bbb/attachment.bin>

More information about the argus mailing list