ArgusClientBug TCP Connection Direction Query

Nelson, Carl M. cmn at leicester.ac.uk
Mon Oct 1 07:24:06 EDT 2012


Carter,

Thanks for your advice. With clients version 3.0.7.2 this is how my example query output looks now - it looks good to me:

cmn at zeus:~$ ra -z -n -r /srv/argus/flows/2012-09-12/0.0.0.0-11:5* -s +suser:80 - host 143.210.138.129 and host 212.58.244.68
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State                                         srcUdata
   11:56:54.142532  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80           86     122487   sSE s[80]=GET /news/ HTTP/1.1..Accept: application/x-ms-application, image/jpeg, applicati
   11:57:06.832805  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80            2        120 sSEfF
   11:57:19.265802  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80            1         60 sSEf*
   11:57:25.721474  e           tcp    143.210.138.129.64401     ->      212.58.244.68.80            7       3152   SEC s[80]=GET /news/10284448/ticker.sjson?jsoncallback=bbc.fmtj.net.json.model.getFeedById
   11:57:36.262364  e           tcp    143.210.138.129.64401     ->      212.58.244.68.80           60      80226   SEC s[80]=GET /news/uk-england-leicestershire-19561018 HTTP/1.1..Accept: application/x-ms-
   11:57:48.854077  e           tcp    143.210.138.129.64401     ->      212.58.244.68.80            3        180 SEfF*
   11:58:48.872353  e           tcp      212.58.244.68.80       <?>    143.210.138.129.64411         3        180    fR


And with duser added we see the "200 OK" responses in the flow which has its connection direction originating from the browser as would be expected - nice:

cmn at zeus:~$ ra -z -n -r /srv/argus/flows/2012-09-12/0.0.0.0-11:5* -s +suser:80 +duser:80 - host 143.210.138.129 and host 212.58.244.68
         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State                                         srcUdata                                                                                  dstUdata
   11:56:54.142532  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80           86     122487   sSE s[80]=GET /news/ HTTP/1.1..Accept: application/x-ms-application, image/jpeg, applicati    d[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:56:54 GMT..Server: Apache..Vary: Cook
   11:57:06.832805  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80            2        120 sSEfF
   11:57:19.265802  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80            1         60 sSEf*
   11:57:25.721474  e           tcp    143.210.138.129.64401     ->      212.58.244.68.80            7       3152   SEC s[80]=GET /news/10284448/ticker.sjson?jsoncallback=bbc.fmtj.net.json.model.getFeedById    d[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:25 GMT..Server: Apache..Vary: Cook
   11:57:36.262364  e           tcp    143.210.138.129.64401     ->      212.58.244.68.80           60      80226   SEC s[80]=GET /news/uk-england-leicestershire-19561018 HTTP/1.1..Accept: application/x-ms-    d[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:36 GMT..Server: Apache..Vary: Cook
   11:57:48.854077  e           tcp    143.210.138.129.64401     ->      212.58.244.68.80            3        180 SEfF*
   11:58:48.872353  e           tcp      212.58.244.68.80       <?>    143.210.138.129.64411         3        180    fR
--
Carl Nelson, Systems Architect (Network Security) IT Services,
Computer Centre, University Road, University of Leicester,
Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 229 7944; Email: cmn at le.ac.uk<mailto:cmn at le.ac.uk>

Elite Without Being Elitist
Times Higher Awards Winner 2007, 2008, 2009, 2010, 2011
Follow us on Twitter http://twitter.com/uniofleicester

From: Carter Bullard [mailto:carter at qosient.com]
Sent: 14 September 2012 20:23
To: Nelson, Carl M.
Cc: 'argus-info at lists.andrew.cmu.edu'
Subject: Re: [ARGUS] ArgusClientBug TCP Connection Direction Query

Hey Carl,
Yes, this is a bug that we've been working on the list, driven mostly by the persistence of Rafael Barbosa.
This is not an argus problem, but a ra* problem, and we're getting close to having most of these
non-conformant protocol flows corrected.  You're flow doesn't have the SYN, only a SYN_ACK ( S ),
which normally should be reversed, but the bug isn't reversing the direction in your case.

All of the flows should be corrected for direction, when the bug is obliterated, except
the last flow report you have, which has the " ? " in the direction.  It should be corrected
when you do any form of aggregation, however.

Have you tried the version of argus-clients-3.0.7.2 that I sent to the list on Sept 12th?
Subject "Re: [ARGUS] Problems with racluster" .  This should solve your bug, but if not,
please send more email to the list.

If you can't find that version in the archive, send me email directly and I'll forward a copy
of the version we're using to test these specific bug fixes.

Thanks !!!!!!

Carter


On Sep 14, 2012, at 3:52 AM, "Nelson, Carl M." <cmn at leicester.ac.uk<mailto:cmn at leicester.ac.uk>> wrote:


>Description:
  I think Argus ra sometimes reports the source of TCP connections incorrectly. I do not know if this is a limitation to be expected or a bug so I will report it anyway.

>How-To-Repeat:

   The example below seems to show that the BBC website has initiated a TCP connection to one of our systems on port 64401. The web server in fact seems to be responding with "200 OK" to a previous GET request. Our router ACLs do not permit such a connection.

   cmn at zeus:~$ ra -z -n -r /srv/argus/flows/2012-09-12/0.0.0.0-11:5* -s +suser:80 - host 143.210.138.129 and host 212.58.244.68

         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State                                         srcUdata
   11:56:54.142532  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80           86     122487   sSE s[80]=GET /news/ HTTP/1.1..Accept: application/x-ms-application, image/jpeg, applicati
   11:57:06.832805  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80            2        120 sSEfF
   11:57:19.265802  e           tcp    143.210.138.129.64380     ->      212.58.244.68.80            1         60 sSEf*
   11:57:25.721474  e           tcp      212.58.244.68.80        ->    143.210.138.129.64401         7       3152    SE s[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:25 GMT..Server: Apache..Vary: Cook
   11:57:36.262364  e           tcp      212.58.244.68.80        ->    143.210.138.129.64401        60      80226    SE s[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:36 GMT..Server: Apache..Vary: Cook
   11:57:48.854077  e           tcp      212.58.244.68.80        ->    143.210.138.129.64401         3        180 SEfFR
   11:58:48.872353  e           tcp      212.58.244.68.80       <?>    143.210.138.129.64411         3        180    fR

>Fix: Unknown.

>Submitter-Id: Carl Nelson
>Originator:    Carl Nelson
>Organization: University of Leicester IT Services Department.
>Argus support: none
>Release:       argus-3.0.4 (note: I also downloaded 3.0.7.1 clients and the ra output was the same)
>Product:       ra
>Synopsis:      I think Argus ra sometimes reports the source of TCP connections incorrectly.
>Class:         sw-bug
>Severity:    non-critical
>Priority:     low

>Environment:   Debian squeeze

System:  Linux zeus 2.6.32-5-xen-amd64 #1 SMP Sun May 6 08:57:29 UTC 2012 x86_64 GNU/Linux
Paths:    /opt/argus/bin/ra /usr/bin/make /usr/bin/gcc /usr/bin/cc

RA:      Ra Version 3.0.6

GCC:     Using built-in specs.
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 4.4.5-8' --with-bugurl=file:///usr/share/doc/gcc-4.4/README.Bugs<file:///\\usr\share\doc\gcc-4.4\README.Bugs> --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.4 --enable-shared --enable-multiarch --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.4 --libdir=/usr/lib --enable-nls --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --with-arch-32=i586 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 4.4.5 (Debian 4.4.5-8)

LIBC:
lrwxrwxrwx 1 root root 14 Jun  6 16:33 /lib/libc.so.6 -> libc-2.11.3.so
-rwxr-xr-x 1 root root 1437064 Feb 12  2012 /lib/libc-2.11.3.so
-rw-r--r-- 1 root root 4439052 Feb 12  2012 /usr/lib/libc.a
-rw-r--r-- 1 root root 247 Feb 12  2012 /usr/lib/libc.so

--
Carl Nelson, Systems Architect (Network Security) IT Services,
Computer Centre, University Road, University of Leicester,
Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 229 7944; Email: cmn at le.ac.uk<mailto:cmn at le.ac.uk>

Elite Without Being Elitist
Times Higher Awards Winner 2007, 2008, 2009, 2010, 2011
Follow us on Twitter http://twitter.com/uniofleicester


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121001/ab36116b/attachment.html>


More information about the argus mailing list