Not finding the argus payload of a flow inside the pcap

Carter Bullard carter at qosient.com
Tue Jun 2 18:47:28 EDT 2015 

Hey Sebas,
This seems to be a bug !!!  Having the pcap file is great, if it can replicate the problem.  Let me grab the file and see if I can generate the same problem  !!!!
Carter

	 	
Carter Bullard • CTO
150 E 57th Street Suite 12D
New York, New York 10022-2795
Phone +1.212.588.9133 • Mobile +1.917.497.9494

> On Jun 2, 2015, at 2:53 PM, el draco <eldraco at gmail.com> wrote:
> 
> Hi list
> 
> We have a malware capture that we are analyzing with argus, but we
> came across some issue that we can not explain: argus is showing some
> payload that we can not find in the pcap file.
> 
> The file is : https://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-120-1/2015-04-22_capture-win4.pcap
> 
> If we extract the argus flows with some amount of payload data and we
> print the flows with ra:
> 
> argus -F argus_bi.long.conf -r 2015-04-22_capture-win4.pcap -w - |ra
> -n -r - -F ra.conf.realtime |less
> 
> After 160 flows we can see some lines like these (notice that ra is
> printing the suser and duser fields:
> 
> 03:21:39.147159 tcp 147.32.83.57 5552   <?> 10.0.2.104 49227 CON 192
> 10624  s[120]=0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
> d[120]=0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
> 
> Argus is reporting almost 60 flows like this (each one is a flow that
> timeouted according to our ARGUS_FLOW_STATUS_INTERVAL=3600
> configuration)
> 
> The flows indicate that the payload content of some flows have the
> data: "0.0.0.0.0.0.0.0.0.0.0.".
> 
> However, if we try to search for this data inside the pcap file by
> hand, I'm not able to find it. Which is weird:
> 
> grep "0.0.0.0.0.0.0.0.0.0.0." 2015-04-22_capture-win4.pcap
> Gives us nothing.
> 
> Finding inside the traffic with tcpdump gives us nothing:
> tcpdump -n -s0 -r 2015-04-22_capture-win4.pcap -A|less
> 
> Strings give us nothing:
> strings 2015-04-22_capture-win4.pcap |grep "0.0.0.0.0.0.0.0.0.0.0."
> 
> So my question is, what I'm doing wrong? where is the text being
> reported by argus coming from?
> 
> Thanks!
> Sebas
> 
> 
> 
> -- 
> https://pgp.mit.edu/pks/lookup?op=get&search=0x9D9A358CA10F1601
> <ra.conf.realtime>
> <argus_bi.long.conf>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150602/3132894a/attachment.html>

More information about the argus mailing list