Couple things...

Carter Bullard carter at qosient.com
Sat Aug 3 14:23:13 EDT 2013 

OK, with the pcap we'll figure it out.

So the ssh keystroke algorithm is round trip sensitive, and its tuned for the enterprise border viewing, but there are a lot of knobs that can be turned.  The real trick is having, again, a packet file of a session so we can see what the algorithm is doing.

Grab a few and we can go over it packet for packet.

Carter

Carter Bullard, QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

On Aug 2, 2013, at 3:06 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> I don’t know what to tell you, Carter.  The version of 3.0.7.4 that I’m running has the same MD5 sum as the latest in qosient.com/dev…
>  
> I’ve uploaded the pcap file I’m trying to convert to your FTP server. 
>  
> I’ve attached the debug file, but after further testing I think it’s an algorithm configuration issue.  I’ve tried testing normal and reverse keystroke detection between hosts that were in the same data center and dnstroke and snstroke always show up as “0,0” or “,,” (the latter happens more when there are directional issues).  But if I watch a host that I ssh into over the VPN from my home connection, Argus detects keystrokes. 
>  
> I’ve tried reading through the academic paper you guys published on the keystroke detection and it’s beyond me.  If it works for a slower network connection and not a faster network connection (or maybe I should say lower/higher latency connection), which configuration options should I experiment with to find the right balance?
>  
> Thanks.
> 
> Craig
>  
>  
>  
>  
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Friday, August 02, 2013 8:37 AM
> To: Craig Merchant
> Cc: Argus (argus-info at lists.andrew.cmu.edu)
> Subject: Re: [ARGUS] Couple things...
>  
> Hey Craig,
> Was in Calif all last week, and just now catching up.
>  
> I really think the argus crashing issue is fixed.  At least
> it works with all data that has been uploaded.  But if you have
> packet data that is blowing argus up, can you send ???
>  
> There is a possibility that you may not have the most recent
> version of argus-3.0.7.4.  I sometimes put up new software
> without changing the number, like if I make a mistake and
> put up the wrong version.  So, there could be a race condition.
> Check the md5 or date times, or just grab again, if there is
> any doubt.
>  
> You have to turn on keystroke detection, so, don't comment out
> the ARGUS_KEYSTROKE="yes" line.  The CONF line you can comment
> out.
>  
> To troubleshoot the keystroke algorithm, with argus running, but
> not as a daemon, you can send a USR1 signal to it,
>  
>    # kill -USR1 argus.pid
>  
> and it will print out stats that include the keystroke algorithm
> configuration, if its turned on. When you send a USR1 signal to
> argus, you increment the Debug flag setting for all of argus, and
> so you should start getting debug messages, if the debug facility
> is compiled in. Send another USR1 and you'll increase the debug
> information.  Most of the per packet keystroke debugging is at
> debug level 5. 
>  
> Send a USR2 signal to argus ( # kill -USR2 argus.pid ) to turn
> debug reporting off.
>  
> Carter
>  
>  
> On Aug 1, 2013, at 7:02 PM, Craig Merchant <cmerchant at responsys.com> wrote:
> 
> 
> Hey, Carter…
>  
> I just wanted to check in and see if you anything else from me on the labeling issue or argus crashing when trying to convert a pcap file.  Let me know…
>  
> I’m also having some issues with keystroke detection with the latest release.  The following command used to work in my testing:
>  
> /usr/local/bin/ra -S 10.10.10.10:561 -n -u -c "," -s "+0dnstroke,+1snstroke" - host 10.1.1.1 and host 10.1.1.2
>  
> I tried both a normal and reverse SSH session between the two hosts and neither one registered keyboard strokes of varying speeds and intensity.
>  
> All I’ve done is commented out the defaults in argus.conf:
>  
> ARGUS_KEYSTROKE="yes"
> ARGUS_KEYSTROKE_CONF="GPC_MAX=4"
>  
> I performed pretty much the same testing a couple months ago and got plenty of flows where keystrokes were detected.  Please let me know what you’d recommend for troubleshooting that.
>  
> Thanks.
> 
> Craig
>  
> <debug.zip>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130803/fa8c7162/attachment.html>

More information about the argus mailing list