raservices signature file
Carter Bullard via Argus-info
argus-info at lists.andrew.cmu.edu
Sun Dec 6 12:49:54 EST 2015
Hey Michael,
The idea of rauserdata() and raservices() is that the user data fields in argus data can be analyzed to determine signatures of protocols. These signatures can be used in a classic pattern matching strategy to “discover” the protocols and services that are being employed in a network flow.
rauserdata() processes the user fields of a set of argus flow records and generates signatures for the payloads that were captured.
raservices() will perform pattern matching of an argus record’s users data field(s) against that signature file, and label the flows based on the match. This gives you some ‘proof of concept’ tools to try to figure out what protocols are running on an arbitrary flow. Because raservices() can be configured to guess, you can get a best guess labeling for user payloads.
We provide a rudimentary signature file, std.sig, that has some very basic signatures. FTP, telnet, smtp, pop3, imap, imaps, dns, http, etc…
If you run raservices() with the std.sig, the output will be a label added to the flow record that has the field “srv=“ + the Service: identifier in the std.sig file, if it found a match.
So what kind of label are you getting ???
Carter
> On Dec 6, 2015, at 11:48 AM, Michael Brookes via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>
> Thanks very much.
> What is the general idea of raservices?
> Is there a field which holds the detected protocol that raservices can print?
> I see a label field but this doesn't print what I expect - the
> detected protocol.
> Maybe I've got completely the wrong end of the stick!
>
>
> On 6 December 2015 at 01:32, David Edelman <dedelman at iname.com> wrote:
>> It is in the client distribution in /support/Config/std.sig
>>
>> This is really a basic sample but the instructions are in the first few lines of the header:
>>
>> rauserdata -d16 -e encode32
>>
>> --Da ve
>>
>> -----Original Message-----
>> From: Argus-info [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Michael Brookes via Argus-info
>> Sent: Saturday, December 5, 2015 4:18 PM
>> To: argus-info at lists.andrew.cmu.edu
>> Subject: [ARGUS] raservices signature file
>>
>> Hello list
>>
>> Does anyone have an raservices.dat file, the one you pass to raservices to aid in protocol identification?
>> There is mention of it in a flocon presentation but I can't see any man page on the qosient site.
>>
>> Thanks!
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20151206/ac1fbb18/attachment.bin>
More information about the argus
mailing list