Does the -Zb switch have some magic incantation?

Digital Ninja dn1nj4 at gmail.com
Tue Oct 16 04:14:56 EDT 2012 

Paul,

Try changing "flgs" to "state" in your RA_FIELD_SPECIFIER.

Jason

> Date: Mon, 15 Oct 2012 15:51:43 -0500
> From: Paul Schmehl <pschmehl_lists at tx.rr.com>
> Subject: [ARGUS] Does the -Zb switch have some magic incantation?
>
> I'm working on an rasqlinsert routine for feeding a database with argus
> data.  I have one last hurdle to overcome.
>
> Here's my conf file:
> RA_TIME_FORMAT="%G-%m-%d %T
> RA_FIELD_SPECIFIER="stime saddr daddr sport dport sbytes dbytes flgs
> RA_PRINT_NAMES="none"
>
> When I run this commandline:
> ra -Z b -F rasqlinsert.conf -r
> /var/data/nsm/argus/2012-10-14/argus.log.2012-10-14.16\:00\:00.bz2
>
> It gives me this output:
>
> 2012-10-14 12:00:14      184.72.15.121      129.110.10.35 36584  53
> 90          144  e
> 2012-10-14 12:00:14        10.19.1.200     192.124.233.27 60844  80
> 2142         6038  e
> 2012-10-14 12:00:14        10.19.1.200     192.124.233.27 60845  80
> 2763         1334  e
> 2012-10-14 12:00:14      184.72.15.121      129.110.10.35 31152  53
> 90          106  e
> 2012-10-14 12:00:14       10.174.48.37    171.161.148.172 45333  443
> 66           66  e
> 2012-10-14 12:00:14       10.174.48.37    171.161.148.172 45338  443
> 66           66  e
> 2012-10-14 12:00:14       10.174.48.37    171.161.148.172 45331  443
> 66           66  e
> 2012-10-14 12:00:14       10.174.48.37    171.159.100.181 48308  443
> 66           66  e
> 2012-10-14 12:00:14       10.160.75.17       50.31.149.59 54778  80
> 862          701  e
> 2012-10-14 12:00:14      10.110.65.158     199.47.217.146 58944  80
> 245          293  e
> 2012-10-14 12:00:14      69.175.54.106    129.110.180.172 50014  443
> 60            0  e
> 2012-10-14 12:00:14        10.19.1.200       64.94.107.30 60847  80
> 694         2900  e
> 2012-10-14 12:00:14        10.19.1.200       64.94.107.30 60846  80
> 694         2900  e i
>
> But -Z b should be giving me S SA or PA PA, etc.  What am I doing wrong?
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 15 Oct 2012 20:25:56 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] Combining seen DNS data with traffic data:
>         Tracking        traffic to domains
> To: Markku Parviainen <maketsi at gmail.com>
> Cc: argus-info at lists.andrew.cmu.edu
> Message-ID: <533383F7-0E91-4910-B8F3-0E0BF4227F4F at qosient.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hey Markku,
> We do have support for printing only the domain names of the addresses:
>
> RA_PRINT_DOMAINONLY=yes
>
> which can be set in the .rarc file, and we did have aggregation on
> domain names, but that implementation is incomplete, so the hooks
> are there for it, but it doesn't appear that you can do it right now.
>
> The idea is to do the reverse lookup for the addresses, take the name
> that is returned, grab the domain part of the name, and use that as the
> value for the saddr or daddr when filtering, processing whatever.  This is
> preferred, as deriving DNS information from packets on the wire can be easily
> manipulated by an adversary, and you may not be able to grab the contents
> of packets, as the snaplen may be small.
>
> We do have DNS name labeling, and it did support this option, but it
> appears to be incomplete as well.  So the design allows you to poke the
> domain name in as a label, but I need to finish it.
>
> There is a man page for ralabel that describes quite a bit, and all you have
> to do is print the label field to see the label:
>
>    ra -s +label
>
> The default length is pretty small, so should put a length specifier:
>
>    ra -s +label:32
>
> You'll see the format when you print them out.  racluster has primitives for
> greping labels, etc... and there should be some hints in the racluster.conf
> man page.
>
> And there is a ralabel.conf man page that describes the conf file.
>
> We have extensive support for label processing, so that they can be filtered,
> grep'ed, aggregated, etc....  so we can do a lot with the labels, but not much
> traffic on the mailing list about them, so not much in the way of descriptions
> etc....
>
> So lets go through your example, and figure out what you really want for
> domain name processing, and I'll reimplement the features we had, and
> get it the way you want.  So how do you want to configure this animal ?
>
> Carter
>
> On Oct 15, 2012, at 2:07 PM, Markku Parviainen <maketsi at gmail.com> wrote:
>
>> Hi,
>>
>> I was wondering if you could track traffic to domains instead of IPs
>> by combining knowledge from seen DNS traffic with IP addresses seen.
>> This would be much more accurate than labeling the results of reverse
>> lookups that often do not work. This would be useful in ratop and
>> racluster, as you could directly see how much of your traffic is
>> consumed for facebook or other famous CDN sites, or could track
>> requests to suspicious domains that probably are signs of malware
>> infection (xxcz92obzf.cn anyone?), or could map fast-flux domains
>> visited.
>>
>> The basic concept could be implemented quite easily:
>>
>> 1) user does DNS request for A record of www.cdn.net
>> 2) DNS responds that www.cdn.net has two A records: 1.1.1.1 and 2.2.2.2
>> 3) We cache that information for later use, noting the TTL in the DNS response.
>> 4) That same user (saddr) makes a HTTP request to 1.1.1.1 within N
>> seconds from that DNS request, and within the TTL
>> 5) We can assume that the user reached that IP by using name
>> www.cdn.net and label the corresponding flow as being so.
>> 6) racluster/ratop/whatnot by that label
>>
>> Can this be done with existing tools?
>>
>> There seem to be two problems:
>> - Ralabel claims that it "inserts fixed form or free form metadata
>> labels into argus(8)". But how exactly? Manual page or the sample
>> configuration file ralabel.conf does not say how to create that
>> ralabel.conf to insert foo=bar to flow X. It doesn't say how to view
>> that data later either.
>> - DNS requests need to be found and parsed from argus packets (could
>> use a simple udp and dport 53 filter).
>> - If the parsing is done on batches, we need to match and label flows
>> manually, while also maintaining that time limit referred in step 4).
>>
>> I guess that if the labeling works, I could implement a batch script
>> for parsing the DNS data and inserting those labels into archived
>> flows. That doesn't help for realtime analysis though.
>>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 2589 bytes
> Desc: not available
> Url : https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20121015/7a479520/attachment.bin
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 86, Issue 25
> ******************************************

More information about the argus mailing list