Detecting unusual SSH traffic...

Craig Merchant cmerchant at responsys.com
Tue Jan 29 18:41:38 EST 2013 

Looks like it was a typo in the -s +suder (should be +suser).  Sorry about that!

Craig

From: argus-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu] On Behalf Of Craig Merchant
Sent: Tuesday, January 29, 2013 2:14 PM
To: Argus (argus-info at lists.andrew.cmu.edu)
Subject: [ARGUS] Detecting unusual SSH traffic...

I'd like to use Argus to monitor the network for outbound SSH connections to unusual ports.  I'm guessing that the best way to do this would be to enable the ARGUS_CAPTURE_DATA_LEN feature in argus.conf and then use the regular expression feature of ra clients to look for "SSH".

I set the capture length to 192.  I ran the following:

ra -S 192.168.174.41:561 -n -M dsrs="+duser,+suser" -e "^SSH-" -s +suder,+duser

I would expect the user data fields with the "SSH-2.0-" in it to pass the filter, but not the other lines.  I tried a regex that wouldn't match anything and now flows showed up.  It's almost like ra is matching 22 against SSH even though port labels are disabled with -n.

   22:08:18.820140  e s         tcp       192.168.60.85.22        ->        192.150.4.28.40511        14       1904   FIN d[10]=SSH-2.0-Op
   22:08:18.996308  e g         tcp       192.135.13.32.22       <?>        192.150.4.28.33953        11       1152   FIN d[10]=SSH-2.0-Op
   22:08:19.025720  e s         tcp       192.168.60.60.22        ->        192.158.1.13.32791        22       6480   FIN d[10]=SSH-2.0-SS
   22:08:19.187967  e s         tcp       192.168.60.61.22       <?>        192.158.1.13.35880        22       4168   FIN d[10]=....95Q...
   22:08:19.319604  e s         tcp       192.135.13.43.22       <?>        192.150.4.28.33433        14       2674   CON d[10]=....."....
   22:08:19.352756  e d         tcp        192.150.4.28.40515    <?>       192.168.60.85.22           24       2892   FIN d[10]=..........
   22:08:19.494457  e g         tcp       192.168.60.63.22        ->        192.158.1.13.42038        18       4356   FIN d[10]=..........
   22:08:19.634429  e g         tcp     192.220.151.107.22       <?>        192.158.1.13.40983        12       2388   FIN d[10]=..........

Thx.

Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130129/84493255/attachment.html>

More information about the argus mailing list