Not finding the argus payload of a flow inside the pcap

el draco eldraco at gmail.com
Tue Jun 2 14:53:38 EDT 2015 

Hi list

We have a malware capture that we are analyzing with argus, but we
came across some issue that we can not explain: argus is showing some
payload that we can not find in the pcap file.

The file is : https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-120-1/2015-04-22_capture-win4.pcap

If we extract the argus flows with some amount of payload data and we
print the flows with ra:

argus -F argus_bi.long.conf -r 2015-04-22_capture-win4.pcap -w - |ra
-n -r - -F ra.conf.realtime |less

After 160 flows we can see some lines like these (notice that ra is
printing the suser and duser fields:

03:21:39.147159 tcp 147.32.83.57 5552   <?> 10.0.2.104 49227 CON 192
10624  s[120]=0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
d[120]=0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.

Argus is reporting almost 60 flows like this (each one is a flow that
timeouted according to our ARGUS_FLOW_STATUS_INTERVAL=3600
configuration)

The flows indicate that the payload content of some flows have the
data: "0.0.0.0.0.0.0.0.0.0.0.".

However, if we try to search for this data inside the pcap file by
hand, I'm not able to find it. Which is weird:

grep "0.0.0.0.0.0.0.0.0.0.0." 2015-04-22_capture-win4.pcap
Gives us nothing.

Finding inside the traffic with tcpdump gives us nothing:
tcpdump -n -s0 -r 2015-04-22_capture-win4.pcap -A|less

Strings give us nothing:
strings 2015-04-22_capture-win4.pcap |grep "0.0.0.0.0.0.0.0.0.0.0."

So my question is, what I'm doing wrong? where is the text being
reported by argus coming from?

Thanks!
Sebas



-- 
https://pgp.mit.edu/pks/lookup?op=get&search=0x9D9A358CA10F1601
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ra.conf.realtime
Type: application/octet-stream
Size: 1175 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150602/fd3df5a1/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus_bi.long.conf
Type: application/octet-stream
Size: 20556 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150602/fd3df5a1/attachment-0001.obj>

More information about the argus mailing list