Basic question regarding how flows are build.
John Gerth
gerth at graphics.stanford.edu
Wed Jan 8 11:12:18 EST 2014
In order to provide timely information as well as better granularity,
argus periodically generates a flow status report. The default
frequency of the report is 5 seconds and is configurable in
/etc/argus.conf with ARGUS_FLOW_STATUS_INTERVAL.
This is what your seeing in the example below.
Now 5 or 10 seconds is a good value as the vast majority of connections
are quite short and can be completely captured. However, in security
applications, long-lived connections are of great interest. In order
to identify those, take a look at "racluster". You can use that to
aggregate flow reports over very large intervals
/John
On 1/8/14 6:38 AM, el draco wrote:
> Hi list, first of all Happy new year to you all!
>
> I have been analyzing some botnet traffic lately and I come across a
> simple question that I was not able to answer myself. Maybe you can
> help me.
>
> I had a simple tcp connection that is encrypted (attached test.pcap).
> If you look at it with wireshark and you search for Connections, you
> will see only one connection.
>
> Even if you use tools like tcpflow, it will find 2 flows. One for each
> direction.
>
> However, using latest argus 3.0.7.5 and latest argus-clients 3.0.7.18,
> it will find 15 bidirectional flows:
>
> StartTime,Dur,Label,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,State,sTos,dTos,TotPkts,TotBytes
> 1970/02/16 02:58:09.809464,3.966546,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,SPA_SPA,0,0,38,24813
> 1970/02/16 02:58:15.153867,4.980870,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,19,19458
> 1970/02/16 02:58:20.469524,4.854012,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,54,45924
> 1970/02/16 02:58:25.518589,3.926445,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,43,33042
> 1970/02/16 02:58:30.823824,4.604630,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,53,44886
> 1970/02/16 02:58:36.259177,4.311461,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,68,49712
> 1970/02/16 02:58:41.263806,4.964994,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,57,44038
> 1970/02/16 02:58:46.597238,4.228112,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,77,59454
> 1970/02/16 02:58:51.967958,3.855925,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,43,38526
> 1970/02/16 02:58:57.525492,4.545178,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,52,45816
> 1970/02/16 02:59:02.704674,4.825829,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,87,68846
> 1970/02/16 02:59:07.732428,4.602490,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,87,68914
> 1970/02/16 02:59:12.884814,4.989438,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,83,67242
> 1970/02/16 02:59:17.902786,4.494702,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,A_PA,0,0,81,62886
> 1970/02/16 02:59:23.103462,0.371401,,tcp,10.0.2.106,59540,
> ->,151.233.138.31,9338,FPA_FA,0,0,6,328
>
> Do you know what is happening? Why argus is seeing so many flows here?
>
> I'm attaching also both configurations so you can try it. I also tried
> with default configurations and is the same.
>
> What is special in this botnet traffic that is causing this?
>
> This was giving me some trouble since I was counting the amount of
> flows on each connection when I realized this.
>
> Thanks in advance!
> sebas
>
More information about the argus
mailing list