Problem with the directionality of flows

Carter Bullard carter at qosient.com
Tue Dec 16 08:16:38 EST 2014 

Looks like the client direction correction is kicking in.  Ra knows the flow direction, because of the TCP state and makes its output conform to that flow direction.   Correction is on by default.

You can turn that off with a '-M nocorrect' or in a rarc file.

Also, ra.1 can generate the unindirectional flows for you from bi-directional data, using '-M uni', which should turn direction correction off automatically.

Carter

> On Dec 15, 2014, at 1:27 PM, el draco <eldraco at gmail.com> wrote:
> 
> Hi list. I have an issue and I hope you can help me.
> 
> I have a pcap file with botnet stuff. In the test.pcap file I'm attaching you can find a connection made to one IP. I created this pcap by only filtering this IP.
> 
> Using a birectional argus configuration and a ARGUS_FLOW_STATUS_INTERVAL=3600 I get:
> 
> argus -F /etc/argus.conf -r test.pcap -w -|ra -n -Z b -r - -F /etc/ra.conf |less
> 
> StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
> 2012/05/25 12:30:01.862376,3588.929932,tcp,192.168.0.9,49182,   ->,68.39.104.225,3080,SPA_SPA,0,0,1534,821432,51762,
> 2012/05/25 13:30:35.414493,3557.665283,tcp,192.168.0.9,49182,   ->,68.39.104.225,3080,PA_PA,0,0,371,23272,13180,
> 2012/05/25 14:30:37.785205,1396.160522,tcp,192.168.0.9,49182,   ->,68.39.104.225,3080,PA_PA,0,0,166,10554,6048,
> 
> So far it is ok for me.
> 
> 
> But now when I try to obtain the UNIDIRECTIONAL flows I get (also using ARGUS_FLOW_STATUS_INTERVAL=3600):
> 
> argus -F /etc/argus.conf.uni -r test.pcap -w -|ra -n -Z b -r - -F /etc/ra.conf |less
> 
> 
> StartTime,Dur,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes,SrcBytes,Label
> 2012/05/25 12:30:01.862376,3588.532959,tcp,192.168.0.9,49182,   ->,68.39.104.225,3080,SPA_,0,,842,51762,51762,
> 2012/05/25 12:30:02.088594,3588.703857,tcp,192.168.0.9,49182,   ->,68.39.104.225,3080,_SPA,,0,692,769670,0,
> 2012/05/25 13:30:35.414493,3557.665283,tcp,192.168.0.9,49182,   ->,68.39.104.225,3080,_PA,,0,165,10092,0,
> 2012/05/25 13:30:35.416147,3557.273682,tcp,192.168.0.9,49182,   ->,68.39.104.225,3080,PA_,0,,206,13180,13180,
> 2012/05/25 14:30:37.785205,1396.160522,tcp,192.168.0.9,49182,   ->,68.39.104.225,3080,_PA,,0,72,4506,0,
> 2012/05/25 14:30:37.790142,1395.752808,tcp,192.168.0.9,49182,   ->,68.39.104.225,3080,PA_,0,,94,6048,6048,
> 
> 
> The problem in the last output is that the src IP addresses are all the same. I know for sure that both hosts are sending data, but argus is showing that all the flows originated in the same IP. What I'm doing wrong?
> 
> If you look at the TCP Flags, you can see that the flows originating in 192.168.0.9 have the correct flags like "SPA_" and the flows that should be originating from 68.39.104.225 have the flags "_SPA". So the flags are ok in the directionality, but not the IP addresses.
> 
> Do you know what is happening?
> 
> 
> As a side note I saw that the UDP flows do not have this issue.
> 
> 
> thanks
> sebas
> 
> 
> -- 
> https://pgp.mit.edu/pks/lookup?op=get&search=0x9D9A358CA10F1601
> <test.pcap>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141216/38ea916f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2443 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141216/38ea916f/attachment.bin>

More information about the argus mailing list