Spurious web server traffic

Russ Harvey russ-harvey at ucr.edu
Thu May 30 18:04:35 EDT 2013


Hi,
I am having trouble going from older argus clients to newer versions as I update
my scripts that do various searches of our network border traffic. One script
looked for outbound connections initiated by a campus web server -- only
connections to a particular off-campus machine are expected, anything else
indicates something suspicious. My circa 2.0.6 script relied on flow information
to see the outbound connections that were legitimate vs. all the usual noise
and knob rattling seen in today's internet traffic. It relied on argus's state
and direction flags, plus source and destination packets, to know that there was
a two way exchange of packets, tcp protocol was followed, etc. It made the
perhaps unfortunate assumption that all normal web traffic will be initiated by
other hosts, so, as an example, captured flow files would be filtered with

               ra -nr <argus-archive-file> - src host <mywebserver>

It seemed to work acceptably well, the web server outbound traffic would be
displayed, and using state, direction, etc. the valid tcp protocol flows
could be examined.

I don't seem to be able to do the same thing with 3.0.6 clients. The output I
get using the above ra command, for example, doesn't seem to show flows, or
shows flows on separate lines. I thus don't seem to be able to discriminate
legitimate flows from the suspicious ones. Even the expected traffic doesn't seem
to appear as a single flow line in the ra/racluster output.

So apart from all that, how do I find legitimate traffic initiated by my webserver
that is not going to the expected off-campus machine?

Apologies for the long winded question, especially if the answer is that I am
doing something stupid, which is entirely possible.

Thanks,
--russ



More information about the argus mailing list