Detecting unusual SSH traffic...

Carter Bullard carter at qosient.com
Thu Jan 31 08:27:10 EST 2013 

Hey Craig,
A few things up front.  You're not using the " -M dsrs=" correctly.  You don't need it
to add ( "+" ) dsrs that are already there.  Adding a dsr, should cause the ra* to add
an empty dsr to the record during processing, which is used primarily for debugging
aggregators.  In this case, the ' -M dsrs="+duser,+suser" isn't doing anything, and
its a lot of characters to type.

In your ra() command, you misspelled "suser" (suder), so that field isn't being printed.
A good thing to do is to use the " Labels " to double check that the fields are correct.
I suspect the "^SSH-" is in the "suser" field, so check to see if that is true.

If / when you think there is a problem with processing argus data, it is best to
send a small file of argus records that demonstrate the problem.  I can debug
a problem if I have data that tickles the bug, about 1,000,000 X faster then when
I don't have data.

Hope all is and remains most excellent,
Carter

On Jan 29, 2013, at 5:14 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> I’d like to use Argus to monitor the network for outbound SSH connections to unusual ports.  I’m guessing that the best way to do this would be to enable the ARGUS_CAPTURE_DATA_LEN feature in argus.conf and then use the regular expression feature of ra clients to look for “SSH”.
>  
> I set the capture length to 192.  I ran the following:
>  
> ra -S 192.168.174.41:561 -n -M dsrs="+duser,+suser" -e "^SSH-" -s +suder,+duser
>  
> I would expect the user data fields with the “SSH-2.0-“ in it to pass the filter, but not the other lines.  I tried a regex that wouldn’t match anything and now flows showed up.  It’s almost like ra is matching 22 against SSH even though port labels are disabled with –n.
>  
>    22:08:18.820140  e s         tcp       192.168.60.85.22        ->        192.150.4.28.40511        14       1904   FIN d[10]=SSH-2.0-Op
>    22:08:18.996308  e g         tcp       192.135.13.32.22       <?>        192.150.4.28.33953        11       1152   FIN d[10]=SSH-2.0-Op
>    22:08:19.025720  e s         tcp       192.168.60.60.22        ->        192.158.1.13.32791        22       6480   FIN d[10]=SSH-2.0-SS
>    22:08:19.187967  e s         tcp       192.168.60.61.22       <?>        192.158.1.13.35880        22       4168   FIN d[10]=....95Q...
>    22:08:19.319604  e s         tcp       192.135.13.43.22       <?>        192.150.4.28.33433        14       2674   CON d[10]=....."....
>    22:08:19.352756  e d         tcp        192.150.4.28.40515    <?>       192.168.60.85.22           24       2892   FIN d[10]=..........
>    22:08:19.494457  e g         tcp       192.168.60.63.22        ->        192.158.1.13.42038        18       4356   FIN d[10]=..........
>    22:08:19.634429  e g         tcp     192.220.151.107.22       <?>        192.158.1.13.40983        12       2388   FIN d[10]=..........
>  
> Thx.
>  
> Craig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/14aacc48/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130131/14aacc48/attachment.bin>

More information about the argus mailing list