Basic question regarding how flows are build.

el draco eldraco at gmail.com
Wed Jan 8 09:38:07 EST 2014


Hi list, first of all Happy new year to you all!

I have been analyzing some botnet traffic lately and I come across a
simple question that I was not able to answer myself. Maybe you can
help me.

I had a simple tcp connection that is encrypted (attached test.pcap).
If you look at it with wireshark and you search for Connections, you
will see only one connection.

Even if you use tools like tcpflow, it will find 2 flows. One for each
direction.

However, using latest argus 3.0.7.5 and latest argus-clients 3.0.7.18,
it will find 15 bidirectional flows:

StartTime,Dur,Label,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes
1970/02/16 02:58:09.809464,3.966546,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,SPA_SPA,0,0,38,24813
1970/02/16 02:58:15.153867,4.980870,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,19,19458
1970/02/16 02:58:20.469524,4.854012,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,54,45924
1970/02/16 02:58:25.518589,3.926445,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,43,33042
1970/02/16 02:58:30.823824,4.604630,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,53,44886
1970/02/16 02:58:36.259177,4.311461,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,68,49712
1970/02/16 02:58:41.263806,4.964994,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,57,44038
1970/02/16 02:58:46.597238,4.228112,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,77,59454
1970/02/16 02:58:51.967958,3.855925,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,43,38526
1970/02/16 02:58:57.525492,4.545178,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,52,45816
1970/02/16 02:59:02.704674,4.825829,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,87,68846
1970/02/16 02:59:07.732428,4.602490,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,87,68914
1970/02/16 02:59:12.884814,4.989438,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,83,67242
1970/02/16 02:59:17.902786,4.494702,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,A_PA,0,0,81,62886
1970/02/16 02:59:23.103462,0.371401,,tcp,10.0.2.106,59540,
->,151.233.138.31,9338,FPA_FA,0,0,6,328

Do you know what is happening? Why argus is seeing so many flows here?

I'm attaching also both configurations so you can try it. I also tried
with default configurations and is the same.

What is special in this botnet traffic that is causing this?

This was giving me some trouble since I was counting the amount of
flows on each connection when I realized this.

Thanks in advance!
sebas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.pcap
Type: application/vnd.tcpdump.pcap
Size: 687477 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140108/2ed50b1e/attachment.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.biargus
Type: application/octet-stream
Size: 6280 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140108/2ed50b1e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus.conf
Type: application/octet-stream
Size: 605 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140108/2ed50b1e/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ra.conf
Type: application/octet-stream
Size: 219 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140108/2ed50b1e/attachment-0002.obj>


More information about the argus mailing list