ArgusClientBug TCP Connection Direction Query
Nelson, Carl M.
cmn at leicester.ac.uk
Mon Oct 1 07:24:06 EDT 2012
Carter,
Thanks for your advice. With clients version 3.0.7.2 this is how my example query output looks now - it looks good to me:
cmn at zeus:~$ ra -z -n -r /srv/argus/flows/2012-09-12/0.0.0.0-11:5* -s +suser:80 - host 143.210.138.129 and host 212.58.244.68
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State srcUdata
11:56:54.142532 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 86 122487 sSE s[80]=GET /news/ HTTP/1.1..Accept: application/x-ms-application, image/jpeg, applicati
11:57:06.832805 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 2 120 sSEfF
11:57:19.265802 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 1 60 sSEf*
11:57:25.721474 e tcp 143.210.138.129.64401 -> 212.58.244.68.80 7 3152 SEC s[80]=GET /news/10284448/ticker.sjson?jsoncallback=bbc.fmtj.net.json.model.getFeedById
11:57:36.262364 e tcp 143.210.138.129.64401 -> 212.58.244.68.80 60 80226 SEC s[80]=GET /news/uk-england-leicestershire-19561018 HTTP/1.1..Accept: application/x-ms-
11:57:48.854077 e tcp 143.210.138.129.64401 -> 212.58.244.68.80 3 180 SEfF*
11:58:48.872353 e tcp 212.58.244.68.80 <?> 143.210.138.129.64411 3 180 fR
And with duser added we see the "200 OK" responses in the flow which has its connection direction originating from the browser as would be expected - nice:
cmn at zeus:~$ ra -z -n -r /srv/argus/flows/2012-09-12/0.0.0.0-11:5* -s +suser:80 +duser:80 - host 143.210.138.129 and host 212.58.244.68
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State srcUdata dstUdata
11:56:54.142532 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 86 122487 sSE s[80]=GET /news/ HTTP/1.1..Accept: application/x-ms-application, image/jpeg, applicati d[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:56:54 GMT..Server: Apache..Vary: Cook
11:57:06.832805 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 2 120 sSEfF
11:57:19.265802 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 1 60 sSEf*
11:57:25.721474 e tcp 143.210.138.129.64401 -> 212.58.244.68.80 7 3152 SEC s[80]=GET /news/10284448/ticker.sjson?jsoncallback=bbc.fmtj.net.json.model.getFeedById d[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:25 GMT..Server: Apache..Vary: Cook
11:57:36.262364 e tcp 143.210.138.129.64401 -> 212.58.244.68.80 60 80226 SEC s[80]=GET /news/uk-england-leicestershire-19561018 HTTP/1.1..Accept: application/x-ms- d[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:36 GMT..Server: Apache..Vary: Cook
11:57:48.854077 e tcp 143.210.138.129.64401 -> 212.58.244.68.80 3 180 SEfF*
11:58:48.872353 e tcp 212.58.244.68.80 <?> 143.210.138.129.64411 3 180 fR
--
Carl Nelson, Systems Architect (Network Security) IT Services,
Computer Centre, University Road, University of Leicester,
Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 229 7944; Email: cmn at le.ac.uk<mailto:cmn at le.ac.uk>
Elite Without Being Elitist
Times Higher Awards Winner 2007, 2008, 2009, 2010, 2011
Follow us on Twitter http://twitter.com/uniofleicester
From: Carter Bullard [mailto:carter at qosient.com]
Sent: 14 September 2012 20:23
To: Nelson, Carl M.
Cc: 'argus-info at lists.andrew.cmu.edu'
Subject: Re: [ARGUS] ArgusClientBug TCP Connection Direction Query
Hey Carl,
Yes, this is a bug that we've been working on the list, driven mostly by the persistence of Rafael Barbosa.
This is not an argus problem, but a ra* problem, and we're getting close to having most of these
non-conformant protocol flows corrected. You're flow doesn't have the SYN, only a SYN_ACK ( S ),
which normally should be reversed, but the bug isn't reversing the direction in your case.
All of the flows should be corrected for direction, when the bug is obliterated, except
the last flow report you have, which has the " ? " in the direction. It should be corrected
when you do any form of aggregation, however.
Have you tried the version of argus-clients-3.0.7.2 that I sent to the list on Sept 12th?
Subject "Re: [ARGUS] Problems with racluster" . This should solve your bug, but if not,
please send more email to the list.
If you can't find that version in the archive, send me email directly and I'll forward a copy
of the version we're using to test these specific bug fixes.
Thanks !!!!!!
Carter
On Sep 14, 2012, at 3:52 AM, "Nelson, Carl M." <cmn at leicester.ac.uk<mailto:cmn at leicester.ac.uk>> wrote:
>Description:
I think Argus ra sometimes reports the source of TCP connections incorrectly. I do not know if this is a limitation to be expected or a bug so I will report it anyway.
>How-To-Repeat:
The example below seems to show that the BBC website has initiated a TCP connection to one of our systems on port 64401. The web server in fact seems to be responding with "200 OK" to a previous GET request. Our router ACLs do not permit such a connection.
cmn at zeus:~$ ra -z -n -r /srv/argus/flows/2012-09-12/0.0.0.0-11:5* -s +suser:80 - host 143.210.138.129 and host 212.58.244.68
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State srcUdata
11:56:54.142532 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 86 122487 sSE s[80]=GET /news/ HTTP/1.1..Accept: application/x-ms-application, image/jpeg, applicati
11:57:06.832805 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 2 120 sSEfF
11:57:19.265802 e tcp 143.210.138.129.64380 -> 212.58.244.68.80 1 60 sSEf*
11:57:25.721474 e tcp 212.58.244.68.80 -> 143.210.138.129.64401 7 3152 SE s[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:25 GMT..Server: Apache..Vary: Cook
11:57:36.262364 e tcp 212.58.244.68.80 -> 143.210.138.129.64401 60 80226 SE s[80]=HTTP/1.1 200 OK..Date: Wed, 12 Sep 2012 10:57:36 GMT..Server: Apache..Vary: Cook
11:57:48.854077 e tcp 212.58.244.68.80 -> 143.210.138.129.64401 3 180 SEfFR
11:58:48.872353 e tcp 212.58.244.68.80 <?> 143.210.138.129.64411 3 180 fR
>Fix: Unknown.
>Submitter-Id: Carl Nelson
>Originator: Carl Nelson
>Organization: University of Leicester IT Services Department.
>Argus support: none
>Release: argus-3.0.4 (note: I also downloaded 3.0.7.1 clients and the ra output was the same)
>Product: ra
>Synopsis: I think Argus ra sometimes reports the source of TCP connections incorrectly.
>Class: sw-bug
>Severity: non-critical
>Priority: low
>Environment: Debian squeeze
System: Linux zeus 2.6.32-5-xen-amd64 #1 SMP Sun May 6 08:57:29 UTC 2012 x86_64 GNU/Linux
Paths: /opt/argus/bin/ra /usr/bin/make /usr/bin/gcc /usr/bin/cc
RA: Ra Version 3.0.6
GCC: Using built-in specs.
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 4.4.5-8' --with-bugurl=file:///usr/share/doc/gcc-4.4/README.Bugs<file:///\\usr\share\doc\gcc-4.4\README.Bugs> --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.4 --enable-shared --enable-multiarch --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.4 --libdir=/usr/lib --enable-nls --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --with-arch-32=i586 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 4.4.5 (Debian 4.4.5-8)
LIBC:
lrwxrwxrwx 1 root root 14 Jun 6 16:33 /lib/libc.so.6 -> libc-2.11.3.so
-rwxr-xr-x 1 root root 1437064 Feb 12 2012 /lib/libc-2.11.3.so
-rw-r--r-- 1 root root 4439052 Feb 12 2012 /usr/lib/libc.a
-rw-r--r-- 1 root root 247 Feb 12 2012 /usr/lib/libc.so
--
Carl Nelson, Systems Architect (Network Security) IT Services,
Computer Centre, University Road, University of Leicester,
Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 229 7944; Email: cmn at le.ac.uk<mailto:cmn at le.ac.uk>
Elite Without Being Elitist
Times Higher Awards Winner 2007, 2008, 2009, 2010, 2011
Follow us on Twitter http://twitter.com/uniofleicester
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121001/ab36116b/attachment.html>
More information about the argus
mailing list