Couple things...

David Edelman dedelman at iname.com
Tue Aug 6 23:41:32 EDT 2013 

Craig,

Just in case you are running into something odd in the argus.conf file, I
suggest that you add ­X as the very first argument to the invocation of
argus. I suggest something very simple like:

# /usr/local/bin/argus ­X ­r somefile.pcap ­w /tmp/somefile.argus

If that works (and /tmp is almost always a good place to write the output
because it avoids permission problems) then use recount() on the
/tmp/somefile.argus to make sure that everything is as expected and let us
know what happened.

--Dave


From:  Craig Merchant <cmerchant at responsys.com>
Date:  Tuesday, August 6, 2013 11:28 PM
To:  Carter Bullard <carter at qosient.com>
Cc:  Argus <argus-info at lists.andrew.cmu.edu>
Subject:  Re: [ARGUS] Couple things...

I don¹t know what to tell you.  If you want me to run that trace tool and
send you the output, let me know where to get it and I¹ll figure it out.
 
Did you take a look at the pcap file to see if there were a lot of missing
SYN/SYNACK packets?
 
Thanks.

Craig
 

From: Carter Bullard [mailto:carter at qosient.com]
Sent: Tuesday, August 06, 2013 10:02 AM
To: Craig Merchant
Cc: Argus (argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Couple things...
 
Hey Craig,

I'm not having any problems reading your tcpdump.pcap file

with my version of argus, so I can't reproduce a fault.

 

% thoth:Data carter$ argus -r tcpdump*pcap -w - | racount

racount   records     total_pkts     src_pkts       dst_pkts
total_bytes        src_bytes          dst_bytes

    sum   402665      9999999        5205934        4794065
4795152829         2664296730         2130856099

 

Is there a specific feature or command line option that generates

your problem?

 

Carter
 

On Aug 3, 2013, at 2:23 PM, Carter Bullard <carter at qosient.com> wrote:


OK, with the pcap we'll figure it out.

 

So the ssh keystroke algorithm is round trip sensitive, and its tuned for
the enterprise border viewing, but there are a lot of knobs that can be
turned.  The real trick is having, again, a packet file of a session so we
can see what the algorithm is doing.

 

Grab a few and we can go over it packet for packet.

 

Carter


Carter Bullard, QoSient, LLC

150 E. 57th Street Suite 12D

New York, New York 10022

+1 212 588-9133 Phone

+1 212 588-9134 Fax


On Aug 2, 2013, at 3:06 PM, Craig Merchant <cmerchant at responsys.com> wrote:
> I don¹t know what to tell you, Carter.  The version of 3.0.7.4 that I¹m
> running has the same MD5 sum as the latest in qosient.com/dev
> <http://qosient.com/dev> Š
>  
> I¹ve uploaded the pcap file I¹m trying to convert to your FTP server.
>  
> I¹ve attached the debug file, but after further testing I think it¹s an
> algorithm configuration issue.  I¹ve tried testing normal and reverse
> keystroke detection between hosts that were in the same data center and
> dnstroke and snstroke always show up as ³0,0² or ³,,² (the latter happens more
> when there are directional issues).  But if I watch a host that I ssh into
> over the VPN from my home connection, Argus detects keystrokes.
>  
> I¹ve tried reading through the academic paper you guys published on the
> keystroke detection and it¹s beyond me.  If it works for a slower network
> connection and not a faster network connection (or maybe I should say
> lower/higher latency connection), which configuration options should I
> experiment with to find the right balance?
>  
> Thanks.
> 
> Craig
>  
>  
>  
>  
> 
> From: Carter Bullard [mailto:carter at qosient.com]
> Sent: Friday, August 02, 2013 8:37 AM
> To: Craig Merchant
> Cc: Argus (argus-info at lists.andrew.cmu.edu)
> Subject: Re: [ARGUS] Couple things...
>  
> Hey Craig,
> 
> Was in Calif all last week, and just now catching up.
> 
>  
> 
> I really think the argus crashing issue is fixed.  At least
> 
> it works with all data that has been uploaded.  But if you have
> 
> packet data that is blowing argus up, can you send ???
> 
>  
> 
> There is a possibility that you may not have the most recent
> 
> version of argus-3.0.7.4.  I sometimes put up new software
> 
> without changing the number, like if I make a mistake and
> 
> put up the wrong version.  So, there could be a race condition.
> 
> Check the md5 or date times, or just grab again, if there is
> 
> any doubt.
> 
>  
> 
> You have to turn on keystroke detection, so, don't comment out
> 
> the ARGUS_KEYSTROKE="yes" line.  The CONF line you can comment
> 
> out.
> 
>  
> 
> To troubleshoot the keystroke algorithm, with argus running, but
> 
> not as a daemon, you can send a USR1 signal to it,
> 
>  
> 
>    # kill -USR1 argus.pid
> 
>  
> 
> and it will print out stats that include the keystroke algorithm
> 
> configuration, if its turned on. When you send a USR1 signal to
> 
> argus, you increment the Debug flag setting for all of argus, and
> 
> so you should start getting debug messages, if the debug facility
> 
> is compiled in. Send another USR1 and you'll increase the debug
> 
> information.  Most of the per packet keystroke debugging is at
> 
> debug level 5. 
> 
>  
> 
> Send a USR2 signal to argus ( # kill -USR2 argus.pid ) to turn
> 
> debug reporting off.
> 
>  
> 
> Carter
> 
>  
>  
> 
> On Aug 1, 2013, at 7:02 PM, Craig Merchant <cmerchant at responsys.com> wrote:
> 
> 
> 
> Hey, CarterŠ
> 
>  
> 
> I just wanted to check in and see if you anything else from me on the labeling
> issue or argus crashing when trying to convert a pcap file.  Let me knowŠ
> 
>  
> 
> I¹m also having some issues with keystroke detection with the latest release.
> The following command used to work in my testing:
> 
>  
> 
> /usr/local/bin/ra -S 10.10.10.10:561 -n -u -c "," -s "+0dnstroke,+1snstroke" -
> host 10.1.1.1 and host 10.1.1.2
> 
>  
> 
> I tried both a normal and reverse SSH session between the two hosts and
> neither one registered keyboard strokes of varying speeds and intensity.
> 
>  
> 
> All I¹ve done is commented out the defaults in argus.conf:
> 
>  
> 
> ARGUS_KEYSTROKE="yes"
> 
> ARGUS_KEYSTROKE_CONF="GPC_MAX=4"
> 
>  
> 
> I performed pretty much the same testing a couple months ago and got plenty of
> flows where keystrokes were detected.  Please let me know what you¹d recommend
> for troubleshooting that.
> 
>  
> 
> Thanks.
> 
> 
> Craig
>  
> <debug.zip>
 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130807/011725d3/attachment.html>

More information about the argus mailing list