radump more tshark-like?

Matt Brown matthewbrown at gmail.com
Tue Jul 2 11:27:25 EDT 2013


Sorry if this is outside this thread...

It would be great to create a hex output printer that conforms to
something readable by wireshark's text2pcap.

000000 0a 0b 0c 0d
...

http://www.wireshark.org/docs/man-pages/text2pcap.html


Carter, what do you think?


Thanks,

Matt

On Jul 2, 2013, at 10:48 AM, "elof2 at sentor.se" <elof2 at sentor.se> wrote:

>
> Since ra and radump are pretty simillar, and since people usually use ra prior to other ra-tools when browsing through data, I'd say both of them should have the new printer.
>
> What I want to do with this new functionality is to try to find the identity of an IP by looking at the argus data.
>
> Lets say that I just now got an alert from last week, telling me that IP 10.2.3.4 show traces of a malicious bot infection.
> Lets say there are hundreds of different subnets, and no documentation of the network. The only thing I know is that 10.2.3.x is some office in India.
> I then need to try to figure out as much as possible about 10.2.3.4 in order to understand which machine is infected ...to be able to tell the technician over which machine to re-install.
>
>
> The following three extended-printers would be nice:
>
> strip-all-binary)
>  For all data:
>  When printing the user data, only echo printable characters. I.e.
>  supress printing all the placeholder dots for binary data.
> decode-netbios-names)
>  For UDP data on ports 137 and 138: (or on all data?)
>  find half-ASCII strings and convert them to cleartext
>  (http://support.microsoft.com/kb/194203)
> decode-barred-smb)
>  For all data (or possibly only TCP data on port 445):
>  find strings (paths, filenames, UNC paths, etc) that are barred with
>  dots and remove the dots, leaving only the clean string.
>  * \.\.E.U.R.S.T.H.L.M.D.C.0.1.\.I.P.C.$   ->   \\EURSTHLMDC01\IPC$
>  * f.o.o...b.a.r  ->  foo.bar
>  * S.E.L.E.C.T. .[.U.s.e.r.I.d.]. .F.R.O.M. .[.U.s.e.r.P.r.o.f.i.l.e.].
>    -> SELECT [UserId] FROM [UserProfile]
>
>  The shortest string to look for imo should be six characters. Shorter
>  than that matches too much random garbage:
>  GREP_OPTIONS=--color=auto ra -nr argus.log -s suser:120 duser:120 - | grep "[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_ $\\]\.[a-zA-Z0-9_ $\\]\."
>
>
> That way I could do a ra/radump search for 10.2.3.4, and skim through the data to see if any details help identify the machine (or the user behind it).
>
> By stripping off all the binary junk and only keeping human readable strings I can see stuff like the User Agent, document names, mail addresses, irc chats, dropbox-connections, logins to various systems, etc. (I can even grep for stuff if I want to)
>
> /Elof
>
>
> On Tue, 2 Jul 2013, Carter Bullard wrote:
>
>> One other thing.  What do we want to do with this ?  Grep for a name?
>> We grep on the printer's output buffer, we don't currently grep on radump()s ouput buffer, so putting the Netbios decode only in radump() will get us only so far.
>>
>> Carter
>>
>> On Jul 2, 2013, at 8:36 AM, Carter Bullard <carter at qosient.com> wrote:
>>
>>> Hey Elof2,
>>> I don't have any problems making the change, just need to know when to do it.
>>> Applying a strange decoding to non-Netbios traffic isn't going to do much positive.
>>>
>>> I think we should define a printer, call it "extended", which is where we implement
>>> any of these protocol specific decoding capabilities?
>>>
>>> OR
>>>
>>> we just do it in radump(), and leave ra() alone?
>>>
>>> Carter
>>>
>>> On Jul 2, 2013, at 8:24 AM, elof2 at sentor.se wrote:
>>>
>>>>
>>>> Hi Carter!
>>>>
>>>> I see in the manual for radump that it is tcpdump-like.
>>>> Would it be lots of work to make it more tshark-like instead?
>>>>
>>>> tcpdump is not parsing Microsoft networking very well (ports 135, 137-139, 445). Tshark on the other hand usually manages to show what I'm interested in, i.e. the machine name, domain, login name, etc.
>>>>
>>>>
>>>> It is mainly the Microsoft protocols I need decoded, but naturally other common protocols that can reveal the identity behind an IP address would be interesting.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> In my last email I was asking for a function to decode the NetBIOS half-ASCII.
>>>> It would also be nice if data like this:
>>>> ......H.&.\.\.E.U.R.S.T.H.L.M.D.C.0.1.\.I.P.C.$.....
>>>> was decoded into strings:
>>>> ......H.&.\\EURSTHLMDC01\IPC$.....
>>>>
>>>> /Elof
>>



More information about the argus mailing list