raservices signature file

Michael Brookes via Argus-info argus-info at lists.andrew.cmu.edu
Mon Dec 7 12:03:58 EST 2015


That's great, thanks.

On Monday, 7 December 2015, Carter Bullard via Argus-info <
argus-info at lists.andrew.cmu.edu> wrote:

> Hey Michael,
> David is right on ... the * means that the print field length is
> truncating the output.
> " -s label:32 "maybe all that is needed to see the srv label.
>
> Carter
>
> On Dec 6, 2015, at 7:41 PM, David Edelman via Argus-info <
> argus-info at lists.andrew.cmu.edu
> <javascript:_e(%7B%7D,'cvml','argus-info at lists.andrew.cmu.edu');>> wrote:
>
> The label field defaults to a real small field length. Try specifying
> something like -s +label:120
>
>
> Dave Edelman
>
>
> Begin forwarded message:
>
> *From:* Michael Brookes via Argus-info <argus-info at lists.andrew.cmu.edu
> <javascript:_e(%7B%7D,'cvml','argus-info at lists.andrew.cmu.edu');>>
> *Date:* December 6, 2015 at 14:22:00 CST
> *To:* Argus <argus-info at lists.andrew.cmu.edu
> <javascript:_e(%7B%7D,'cvml','argus-info at lists.andrew.cmu.edu');>>
> *Subject:* *Re: [ARGUS] raservices signature file*
> *Reply-To:* Michael Brookes <mgsb81 at gmail.com
> <javascript:_e(%7B%7D,'cvml','mgsb81 at gmail.com');>>
>
> Hi
>
> I get 'srv=*' attached to an Argus or reading from files, with argus
> capturing 2048 bytes of user data.
>
> Just checked the suser field of some of the ssh flows and the sig
> matches that in std.sig.
>
> I'm running it like this:
>
> raservices -r 20151206-20 -M printer=encode32 -f
> argus-clients-3.0.8/support/Config/std.sig -s +label +suser
>
> Would incorporating the fairly extensive protocol identification
> libraries in nDPI or libprotoident be worth thinking about?
>
> Many thanks
>
> On 6 December 2015 at 17:49, Carter Bullard <carter at qosient.com
> <javascript:_e(%7B%7D,'cvml','carter at qosient.com');>> wrote:
>
> Hey Michael,
>
> The idea of rauserdata() and raservices() is that the user data fields in
> argus data can be analyzed to determine signatures of protocols.  These
> signatures can be used in a classic pattern matching strategy to “discover”
> the protocols and services that are being employed in a network flow.
>
>
> rauserdata() processes the user fields of a set of argus flow records and
> generates signatures for the payloads that were captured.
>
>
> raservices() will perform pattern matching of an argus record’s users data
> field(s) against that signature file, and label the flows based on the
> match.  This gives you some ‘proof of concept’ tools to try to figure out
> what protocols are running on an arbitrary flow.  Because raservices() can
> be configured to guess, you can get a best guess labeling for user payloads.
>
>
> We provide a rudimentary signature file, std.sig, that has some very basic
> signatures.  FTP, telnet, smtp, pop3, imap, imaps, dns, http, etc…
>
> If you run raservices() with the std.sig, the output will be a label added
> to the flow record that has the field “srv=“ + the Service: identifier in
> the std.sig file, if it found a match.
>
>
> So what kind of label are you getting ???
>
>
> Carter
>
>
> On Dec 6, 2015, at 11:48 AM, Michael Brookes via Argus-info <
> argus-info at lists.andrew.cmu.edu
> <javascript:_e(%7B%7D,'cvml','argus-info at lists.andrew.cmu.edu');>> wrote:
>
>
> Thanks very much.
>
> What is the general idea of raservices?
>
> Is there a field which holds the detected protocol that raservices can
> print?
>
> I see a label field but this doesn't print what I expect - the
>
> detected protocol.
>
> Maybe I've got completely the wrong end of the stick!
>
>
>
> On 6 December 2015 at 01:32, David Edelman <dedelman at iname.com
> <javascript:_e(%7B%7D,'cvml','dedelman at iname.com');>> wrote:
>
> It is in the client distribution in /support/Config/std.sig
>
>
> This is really a basic sample but the instructions are in the first few
> lines of the header:
>
>
> rauserdata -d16 -e encode32
>
>
> --Da ve
>
>
> -----Original Message-----
>
> From: Argus-info [
> mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
> <javascript:_e(%7B%7D,'cvml','argus-info-bounces%2Bdedelman%5Cx3diname.com at lists.andrew.cmu.edu');>]
> On Behalf Of Michael Brookes via Argus-info
>
> Sent: Saturday, December 5, 2015 4:18 PM
>
> To: argus-info at lists.andrew.cmu.edu
> <javascript:_e(%7B%7D,'cvml','argus-info at lists.andrew.cmu.edu');>
>
> Subject: [ARGUS] raservices signature file
>
>
> Hello list
>
>
> Does anyone have an raservices.dat file, the one you pass to raservices to
> aid in protocol identification?
>
> There is mention of it in a flocon presentation but I can't see any man
> page on the qosient site.
>
>
> Thanks!
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20151207/cd878465/attachment.html>


More information about the argus mailing list