Spurious web server traffic

Carter Bullard carter at qosient.com
Thu May 30 18:28:54 EDT 2013 

Hey Russ,
Hmmm, well it should work the exact same…..but things have changed
quite a bit.

Not sure what your are reporting, regarding the ra() command not showing
flows?  So if you can provide a few lines of output, that would be a great
help….

So, single argus, collecting from a port mirror, or are you running argus
in the webserver itself ?  What are you doing to get your files into your
archive?  Are you running rasplit() or are you moving an argus output file?
Are you running racluster() on the files, or are these " primitive " argus
data files.

I'm not sure that I know what you expect as an outcome….so lets go through
a few steps.   With the "src host" filter, for TCP traffic, you are asking to see
flows where the host is the source of the tcp connections, i.e. it originates
the flows.   If you aren't seeing flows that you expect from this filter, if you take
out the " src ", do you see the flows you're interested in, but the direction
is incorrect ?  Is there a " <?> " in the direction field ?  

If you've got your flow data looking good, then simple filters generally find
the specific flows that are interested in.  To find flows initiated by your
webserver, that are leaving your /24 address space, which we will call
x.y.z.0/24, that are not going to machine X:

   ra -r argus.file - tcp and src host webserver and not dst net x.y.z.0/24 and not host X

If you don't get anything, and you suspect that you should, then decompose
the filter, and see which part is not doing what you expect.

   ra -r argus.file -w /tmp/test.out - tcp and host webserver

Look at this and see if you have enough traffic, without the " ? " in the direction
field to capture what you suspect, then run the next part of the filter against
the /tmp/test.out file.

   ra -r /tmp/test.out - src host webserver and not dst net x.y.z.0/24 

This should give you tcp connections originated by webserver, going
out of your network, and then add the specific " not host X " filter to
pick out the " others "……….

Hopefully this will get us in the right direction?

Carter



On May 30, 2013, at 6:04 PM, Russ Harvey <russ-harvey at ucr.edu> wrote:

> Hi,
> I am having trouble going from older argus clients to newer versions as I update
> my scripts that do various searches of our network border traffic. One script
> looked for outbound connections initiated by a campus web server -- only
> connections to a particular off-campus machine are expected, anything else
> indicates something suspicious. My circa 2.0.6 script relied on flow information
> to see the outbound connections that were legitimate vs. all the usual noise
> and knob rattling seen in today's internet traffic. It relied on argus's state
> and direction flags, plus source and destination packets, to know that there was
> a two way exchange of packets, tcp protocol was followed, etc. It made the
> perhaps unfortunate assumption that all normal web traffic will be initiated by
> other hosts, so, as an example, captured flow files would be filtered with
> 
>               ra -nr <argus-archive-file> - src host <mywebserver>
> 
> It seemed to work acceptably well, the web server outbound traffic would be
> displayed, and using state, direction, etc. the valid tcp protocol flows
> could be examined.
> 
> I don't seem to be able to do the same thing with 3.0.6 clients. The output I
> get using the above ra command, for example, doesn't seem to show flows, or
> shows flows on separate lines. I thus don't seem to be able to discriminate
> legitimate flows from the suspicious ones. Even the expected traffic doesn't seem
> to appear as a single flow line in the ra/racluster output.
> 
> So apart from all that, how do I find legitimate traffic initiated by my webserver
> that is not going to the expected off-campus machine?
> 
> Apologies for the long winded question, especially if the answer is that I am
> doing something stupid, which is entirely possible.
> 
> Thanks,
> --russ
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130530/69e77d5c/attachment.bin>

More information about the argus mailing list