Detecting unusual SSH traffic...

Dave Edelman dedelman at iname.com
Tue Jan 29 22:13:39 EST 2013 

Craig,

 

The -n instructs the ra printing function not to translate a port number to
a name, it does not prevent the printing of the port number nor does it
serve as a filter of any sort. If you are looking for SSH traffic being sent
to a port other than the standard  port 22 then you might want to try
something like this (notice the spaces surrounding the  '-' before the
filter expression) You don't need to specify the dsrs, they are there as
long as you configured Argus to capture user data. This is the stripped down
version of the command you need.

 

ra -S 192.168.174.41:561 -e "^SSH" -s +suser:20 +duser:20   -   tcp and dst
port ne 22 

 

Since I never know when to leave well enough alone, I added the bits and
pieces that I like to use. The suser and duser fields have a pretty small
default length and even 20 is a bit short. You might prefer to use -M
printer="hex"  with much longer field lengths and see more of the actual
traffic. I reversed the sense of the filter to include traffic with a
destination port of 22 to demonstrate the effect. I've also used the -Zb
option to format how the State field is displayed and used the -p option to
limit the precision of the time to 3 decimal places. Most of this is
actually set up in my ~/.rarc file 

 

--Dave

 

ra -S localhost:561 -Zb -p 3 -M printer="hex" -e "^SSH" -s +suser:200
+duser:200 - tcp and dst port eq 22

 

 

                  StartTime      Flgs  Proto       TcpOpt            SrcAddr
Sport   Dir            DstAddr  Dport  TotPkts   TotBytes        State      

Wed 2013-01-30 03:01:31.602  *           tcp Mws
10.1.1.31.24725     ->          10.1.1.45.22           53       7274
FSPA_FSPA

      0x0000     5353 482d 322e 302d 5065 6e67 7569 4e65
SSH-2.0-PenguiNe

      0x0010     742d 2452 6576 6973 696f 6e3a 5f31 2e38
t-$Revision:_1.8

      0x0020     305f 240d 0a00 0002 d404 1475 67a5 24fb
0_$........ug.$.

      0x0030     79c0 bb5f f720 aae8 8241 bc00 0000 1a64
y.._.....A.....d

      0x0040     6966 6669 652d 6865 6c6c 6d61 6e2d 6772
iffie-hellman-gr

      0x0050     6f75 7031 2d73 6861 3100 0000 0f73 7368
oup1-sha1....ssh

      0x0060     2d72 7361 2c73 7368 2d64 7373 0000 00e0
-rsa,ssh-dss....

      0x0070     3364 6573 2d63 6263 2c62 6c6f 7766 6973
3des-cbc,blowfis

      0x0080     682d 6362 632c 6165 7331 3238 2d63 6263
h-cbc,aes128-cbc

      0x0090     2c72 696a 6e64 6165 6c31 3238 2d63 6263
,rijndael128-cbc

      0x00a0     2c61 6573 3139 322d 6362 632c 7269 6a6e
,aes192-cbc,rijn

      0x00b0     6461 656c 3139 322d 6362 632c 6165 7332
dael192-cbc,aes2

      0x00c0     3536 2d63 6263 2c72                            56-cbc,r

 

      0x0000     5353 482d 322e 302d 4f70 656e 5353 485f
SSH-2.0-OpenSSH_

      0x0010     352e 350d 0a00 0003 0c0a 1476 57e7 5d93
5.5........vW.].

      0x0020     fe2b ab2d d96f a454 4ede 7e00 0000 7e64
.+.-.o.TN.~...~d

      0x0030     6966 6669 652d 6865 6c6c 6d61 6e2d 6772
iffie-hellman-gr

      0x0040     6f75 702d 6578 6368 616e 6765 2d73 6861
oup-exchange-sha

      0x0050     3235 362c 6469 6666 6965 2d68 656c 6c6d
256,diffie-hellm

      0x0060     616e 2d67 726f 7570 2d65 7863 6861 6e67
an-group-exchang

      0x0070     652d 7368 6131 2c64 6966 6669 652d 6865
e-sha1,diffie-he

      0x0080     6c6c 6d61 6e2d 6772 6f75 7031 342d 7368
llman-group14-sh

      0x0090     6131 2c64 6966 6669 652d 6865 6c6c 6d61
a1,diffie-hellma

      0x00a0     6e2d 6772 6f75 7031 2d73 6861 3100 0000
n-group1-sha1...

      0x00b0     0f73 7368 2d72 7361 2c73 7368 2d64 7373
.ssh-rsa,ssh-dss

      0x00c0     0000 009d 6165 7331                            ....aes1

 

From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of Craig Merchant
Sent: Tuesday, January 29, 2013 5:14 PM
To: Argus (argus-info at lists.andrew.cmu.edu)
Subject: [ARGUS] Detecting unusual SSH traffic...

 

I'd like to use Argus to monitor the network for outbound SSH connections to
unusual ports.  I'm guessing that the best way to do this would be to enable
the ARGUS_CAPTURE_DATA_LEN feature in argus.conf and then use the regular
expression feature of ra clients to look for "SSH".

 

I set the capture length to 192.  I ran the following:

 

ra -S 192.168.174.41:561 -n -M dsrs="+duser,+suser" -e "^SSH-" -s
+suder,+duser

 

I would expect the user data fields with the "SSH-2.0-" in it to pass the
filter, but not the other lines.  I tried a regex that wouldn't match
anything and now flows showed up.  It's almost like ra is matching 22
against SSH even though port labels are disabled with -n.

 

   22:08:18.820140  e s         tcp       192.168.60.85.22        ->
192.150.4.28.40511        14       1904   FIN d[10]=SSH-2.0-Op

   22:08:18.996308  e g         tcp       192.135.13.32.22       <?>
192.150.4.28.33953        11       1152   FIN d[10]=SSH-2.0-Op

   22:08:19.025720  e s         tcp       192.168.60.60.22        ->
192.158.1.13.32791        22       6480   FIN d[10]=SSH-2.0-SS

   22:08:19.187967  e s         tcp       192.168.60.61.22       <?>
192.158.1.13.35880        22       4168   FIN d[10]=....95Q...

   22:08:19.319604  e s         tcp       192.135.13.43.22       <?>
192.150.4.28.33433        14       2674   CON d[10]=....."....

   22:08:19.352756  e d         tcp        192.150.4.28.40515    <?>
192.168.60.85.22           24       2892   FIN d[10]=..........

   22:08:19.494457  e g         tcp       192.168.60.63.22        ->
192.158.1.13.42038        18       4356   FIN d[10]=..........

   22:08:19.634429  e g         tcp     192.220.151.107.22       <?>
192.158.1.13.40983        12       2388   FIN d[10]=..........

 

Thx.

 

Craig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130129/dc876217/attachment.html>

More information about the argus mailing list