A Suggestion for an explicit SYN/ACK Indicator in Argus

Carter Bullard carter at qosient.com
Sun Aug 18 13:40:10 EDT 2013 

Hey Dave,
Argus does exactly as you suggest.  You are printing out the TCP flags when us use the "Z" option.  You want the "z" option, as that prints the argus TCP states, which tracks SYN, SYN_ACK, ACK, FIN, FIN_ACK and RST.  The 's' is a SYN and the 'S' is the SYN/ACK.  The argus state, however is not directional, it covers the complete connection.  Tk do what you want in a general fashion, we may need to add more states to the argus TCP state machine.

You may want both fields, I suspect, or your extension recommendation.
Lets take some time to figure out all the (or most) conditions to see if the skmple sxtension is enough !!!!

Carter


On Aug 16, 2013, at 8:07 PM, "David Edelman" <dedelman at iname.com> wrote:

> Regardless of what innumerable CISSPs have been led to believe, the response
> to a TCP packet with the SYN flag set is a TCP packet with the ACK flag set.
> It is permissible and almost always the case to also set the SYN flag and
> the appropriate option and sequence number bits and pieces but it is not a
> requirement to do so.  It perfectly permissible for the server to send an
> ACK packet followed by a second packet with the SYN flag set and its part of
> the session initiation parameters in order to complete the three-way
> handshake. On the other hand, almost all instances of this 3.1 way handshake
> are malicious. 
> 
> For that reason, and to make is much easier to clearly differentiate between
> the client and the server where the necessary information is available, is
> it possible to create an indicator saying that a single packet was seen that
> had both the SYN and the ACK flags set?
> 
> I'd love to see something like FSPA_XFSPA (I always use -Zb) as compared to
> the current FSPA_FSPA. In fact with the SYN/ACK indicator available, I would
> know that FSPA_FSPA indicates a flow worthy of extra scrutiny since I see
> both SYN's but I have no indication that there was a single packet with both
> SYN and ACK set.
> 
> If this already exists but is obscured by -Zb, would it be possible to
> augment the output of State field to include an additional indicator for
> SYN/ACK  or to add a new field (possibly called Role) to expose the
> information?
> 
> --Dave
> 
>

More information about the argus mailing list