ArgusClientBug TCP Connection Direction Query

Mon Oct 1 12:03:29 EDT 2012

Hey Carl,
If you run racluster() with the same options, the direction for a few of the flow status records will be corrected, and merged correctly.  You may need to grab the racluster.c that I sent to the list earlier, to get the latest version.

Now that the direction and aggeegation look to be correct, I'll release argus-clients-3.0.7.2 this week.  I'll also release argus-3.0.7.1 this seek as well.

Thanks for the bug report, don't hesitate to email the list !!
Carter

On Oct 1, 2012, at 7:24 AM, "Nelson, Carl M." <cmn at leicester.ac.uk> wrote:

> Carter,
>  
> Thanks for your advice. With clients version 3.0.7.2 this is how my example query output looks now – it looks good to me:
>  
> cmn at zeus:~$ ra -z -n -r /srv/argus/flows/2012-09-12/0.0.0.0-11:5* -s +suser:80 - host 143.210.138.129 and host 212.58.244.68
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State                                         srcUdata                              
>    11:56:54.142532  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80           86     122487   sSE s[80]=GET /news/ HTTP/1.1..Accept: application/x-ms-application, image/jpeg, applicati
>    11:57:06.832805  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80            2        120 sSEfF
>    11:57:19.265802  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80            1         60 sSEf*
>    11:57:25.721474  e           tcp    143.210.138.129.64401     ->      212.58.244.68.80            7       3152   SEC s[80]=GET /news/10284448/ticker.sjson?jsoncallback=bbc.fmtj.net.json.model.getFeedById
>    11:57:36.262364  e           tcp    143.210.138.129.64401     ->      212.58.244.68.80           60      80226   SEC s[80]=GET /news/uk-england-leicestershire-19561018 HTTP/1.1..Accept: application/x-ms-
>    11:57:48.854077  e           tcp    143.210.138.129.64401     ->      212.58.244.68.80            3        180 SEfF*
>    11:58:48.872353  e           tcp      212.58.244.68.80       <?>    143.210.138.129.64411         3        180    fR
>  
>  
> And with duser added we see the “200 OK” responses in the flow which has its connection direction originating from the browser as would be expected – nice:
>  
> cmn at zeus:~$ ra -z -n -r /srv/argus/flows/2012-09-12/0.0.0.0-11:5* -s +suser:80 +duser:80 - host 143.210.138.129 and host 212.58.244.68
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State                                         srcUdata                                                                                  dstUdata
>    11:56:54.142532  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80           86     122487   sSE s[80]=GET /news/ HTTP/1.1..Accept: application/x-ms-application, image/jpeg, applicati    d[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:56:54 GMT..Server: Apache..Vary: Cook
>    11:57:06.832805  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80            2        120 sSEfF
>    11:57:19.265802  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80            1         60 sSEf*
>    11:57:25.721474  e           tcp    143.210.138.129.64401     ->      212.58.244.68.80            7       3152   SEC s[80]=GET /news/10284448/ticker.sjson?jsoncallback=bbc.fmtj.net.json.model.getFeedById    d[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:25 GMT..Server: Apache..Vary: Cook
>    11:57:36.262364  e           tcp    143.210.138.129.64401     ->      212.58.244.68.80           60      80226   SEC s[80]=GET /news/uk-england-leicestershire-19561018 HTTP/1.1..Accept: application/x-ms-    d[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:36 GMT..Server: Apache..Vary: Cook
>    11:57:48.854077  e           tcp    143.210.138.129.64401     ->      212.58.244.68.80            3        180 SEfF*
>    11:58:48.872353  e           tcp      212.58.244.68.80       <?>    143.210.138.129.64411         3        180    fR
> --
> Carl Nelson, Systems Architect (Network Security) IT Services,
> Computer Centre, University Road, University of Leicester,
> Leicester, LE1 7RH, U.K.
> Tel: +44 (0)116 229 7944; Email: cmn at le.ac.uk
>  
> Elite Without Being Elitist
> Times Higher Awards Winner 2007, 2008, 2009, 2010, 2011
> Follow us on Twitter http://twitter.com/uniofleicester
>  
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: 14 September 2012 20:23
> To: Nelson, Carl M.
> Cc: 'argus-info at lists.andrew.cmu.edu'
> Subject: Re: [ARGUS] ArgusClientBug TCP Connection Direction Query
>  
> Hey Carl,
> Yes, this is a bug that we've been working on the list, driven mostly by the persistence of Rafael Barbosa.
> This is not an argus problem, but a ra* problem, and we're getting close to having most of these
> non-conformant protocol flows corrected.  You're flow doesn't have the SYN, only a SYN_ACK ( S ),
> which normally should be reversed, but the bug isn't reversing the direction in your case.
>  
> All of the flows should be corrected for direction, when the bug is obliterated, except
> the last flow report you have, which has the " ? " in the direction.  It should be corrected
> when you do any form of aggregation, however.
>  
> Have you tried the version of argus-clients-3.0.7.2 that I sent to the list on Sept 12th?
> Subject "Re: [ARGUS] Problems with racluster" .  This should solve your bug, but if not,
> please send more email to the list.
>  
> If you can't find that version in the archive, send me email directly and I'll forward a copy
> of the version we're using to test these specific bug fixes.
>  
> Thanks !!!!!!
>  
> Carter
>  
>  
> On Sep 14, 2012, at 3:52 AM, "Nelson, Carl M." <cmn at leicester.ac.uk> wrote:
> 
> 
> >Description:
>   I think Argus ra sometimes reports the source of TCP connections incorrectly. I do not know if this is a limitation to be expected or a bug so I will report it anyway.
>  
> >How-To-Repeat:
>   
>    The example below seems to show that the BBC website has initiated a TCP connection to one of our systems on port 64401. The web server in fact seems to be responding with “200 OK” to a previous GET request. Our router ACLs do not permit such a connection.
>  
>    cmn at zeus:~$ ra -z -n -r /srv/argus/flows/2012-09-12/0.0.0.0-11:5* -s +suser:80 - host 143.210.138.129 and host 212.58.244.68
>  
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State                                         srcUdata                                 
>    11:56:54.142532  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80           86     122487   sSE s[80]=GET /news/ HTTP/1.1..Accept: application/x-ms-application, image/jpeg, applicati
>    11:57:06.832805  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80            2        120 sSEfF
>    11:57:19.265802  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80            1         60 sSEf*
>    11:57:25.721474  e           tcp      212.58.244.68.80        ->    143.210.138.129.64401         7       3152    SE s[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:25 GMT..Server: Apache..Vary: Cook
>    11:57:36.262364  e           tcp      212.58.244.68.80        ->    143.210.138.129.64401        60      80226    SE s[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:36 GMT..Server: Apache..Vary: Cook
>    11:57:48.854077  e           tcp      212.58.244.68.80        ->    143.210.138.129.64401         3        180 SEfFR
>    11:58:48.872353  e           tcp      212.58.244.68.80       <?>    143.210.138.129.64411         3        180    fR
>  
> >Fix: Unknown.
>  
> >Submitter-Id: Carl Nelson
> >Originator:    Carl Nelson
> >Organization: University of Leicester IT Services Department.
> >Argus support: none
> >Release:       argus-3.0.4 (note: I also downloaded 3.0.7.1 clients and the ra output was the same)
> >Product:       ra
> >Synopsis:      I think Argus ra sometimes reports the source of TCP connections incorrectly.
> >Class:         sw-bug
> >Severity:    non-critical
> >Priority:     low
>  
> >Environment:   Debian squeeze
>  
> System:  Linux zeus 2.6.32-5-xen-amd64 #1 SMP Sun May 6 08:57:29 UTC 2012 x86_64 GNU/Linux
> Paths:    /opt/argus/bin/ra /usr/bin/make /usr/bin/gcc /usr/bin/cc
>  
> RA:      Ra Version 3.0.6
>  
> GCC:     Using built-in specs.
> Target: x86_64-linux-gnu
> Configured with: ../src/configure -v --with-pkgversion='Debian 4.4.5-8' --with-bugurl=file:///usr/share/doc/gcc-4.4/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.4 --enable-shared --enable-multiarch --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.4 --libdir=/usr/lib --enable-nls --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --with-arch-32=i586 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
> Thread model: posix
> gcc version 4.4.5 (Debian 4.4.5-8)
>  
> LIBC:
> lrwxrwxrwx 1 root root 14 Jun  6 16:33 /lib/libc.so.6 -> libc-2.11.3.so
> -rwxr-xr-x 1 root root 1437064 Feb 12  2012 /lib/libc-2.11.3.so
> -rw-r--r-- 1 root root 4439052 Feb 12  2012 /usr/lib/libc.a
> -rw-r--r-- 1 root root 247 Feb 12  2012 /usr/lib/libc.so
>  
> --
> Carl Nelson, Systems Architect (Network Security) IT Services,
> Computer Centre, University Road, University of Leicester,
> Leicester, LE1 7RH, U.K.
> Tel: +44 (0)116 229 7944; Email: cmn at le.ac.uk
>  
> Elite Without Being Elitist
> Times Higher Awards Winner 2007, 2008, 2009, 2010, 2011
> Follow us on Twitter http://twitter.com/uniofleicester
>  
>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121001/d0e56ffd/attachment.html>