Fwd: raservices signature file

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Sun Dec 6 19:58:06 EST 2015


Hey Michael,
David is right on ... the * means that the print field length is truncating the output.
" -s label:32 "maybe all that is needed to see the srv label.

Carter

> On Dec 6, 2015, at 7:41 PM, David Edelman via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> The label field defaults to a real small field length. Try specifying something like -s +label:120
> 
> 
> Dave Edelman
> 
> 
> Begin forwarded message:
> 
>> From: Michael Brookes via Argus-info <argus-info at lists.andrew.cmu.edu>
>> Date: December 6, 2015 at 14:22:00 CST
>> To: Argus <argus-info at lists.andrew.cmu.edu>
>> Subject: Re: [ARGUS] raservices signature file
>> Reply-To: Michael Brookes <mgsb81 at gmail.com>
>> 
>> Hi
>> 
>> I get 'srv=*' attached to an Argus or reading from files, with argus
>> capturing 2048 bytes of user data.
>> 
>> Just checked the suser field of some of the ssh flows and the sig
>> matches that in std.sig.
>> 
>> I'm running it like this:
>> 
>> raservices -r 20151206-20 -M printer=encode32 -f
>> argus-clients-3.0.8/support/Config/std.sig -s +label +suser
>> 
>> Would incorporating the fairly extensive protocol identification
>> libraries in nDPI or libprotoident be worth thinking about?
>> 
>> Many thanks
>> 
>>> On 6 December 2015 at 17:49, Carter Bullard <carter at qosient.com> wrote:
>>> Hey Michael,
>>> The idea of rauserdata() and raservices() is that the user data fields in argus data can be analyzed to determine signatures of protocols.  These signatures can be used in a classic pattern matching strategy to “discover” the protocols and services that are being employed in a network flow.
>>> 
>>> rauserdata() processes the user fields of a set of argus flow records and generates signatures for the payloads that were captured.
>>> 
>>> raservices() will perform pattern matching of an argus record’s users data field(s) against that signature file, and label the flows based on the match.  This gives you some ‘proof of concept’ tools to try to figure out what protocols are running on an arbitrary flow.  Because raservices() can be configured to guess, you can get a best guess labeling for user payloads.
>>> 
>>> We provide a rudimentary signature file, std.sig, that has some very basic signatures.  FTP, telnet, smtp, pop3, imap, imaps, dns, http, etc…
>>> If you run raservices() with the std.sig, the output will be a label added to the flow record that has the field “srv=“ + the Service: identifier in the std.sig file, if it found a match.
>>> 
>>> So what kind of label are you getting ???
>>> 
>>> Carter
>>> 
>>>> On Dec 6, 2015, at 11:48 AM, Michael Brookes via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>>>> 
>>>> Thanks very much.
>>>> What is the general idea of raservices?
>>>> Is there a field which holds the detected protocol that raservices can print?
>>>> I see a label field but this doesn't print what I expect - the
>>>> detected protocol.
>>>> Maybe I've got completely the wrong end of the stick!
>>>> 
>>>> 
>>>>> On 6 December 2015 at 01:32, David Edelman <dedelman at iname.com> wrote:
>>>>> It is in the client distribution in /support/Config/std.sig
>>>>> 
>>>>> This is really a basic sample but the instructions are in the first few lines of the header:
>>>>> 
>>>>> rauserdata -d16 -e encode32
>>>>> 
>>>>> --Da ve
>>>>> 
>>>>> -----Original Message-----
>>>>> From: Argus-info [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Michael Brookes via Argus-info
>>>>> Sent: Saturday, December 5, 2015 4:18 PM
>>>>> To: argus-info at lists.andrew.cmu.edu
>>>>> Subject: [ARGUS] raservices signature file
>>>>> 
>>>>> Hello list
>>>>> 
>>>>> Does anyone have an raservices.dat file, the one you pass to raservices to aid in protocol identification?
>>>>> There is mention of it in a flocon presentation but I can't see any man page on the qosient site.
>>>>> 
>>>>> Thanks!
>>> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20151206/229e1c67/attachment.html>


More information about the argus mailing list