Argus query

Carter Bullard carter at qosient.com
Tue May 5 16:11:32 EDT 2015 

Hey Muneer,
The current method of storing argus data is to use the argus-client program, rasplit.1.
This will read argus data from argus or radium, and store the records in 
an OS native file system.  We suggest the argus archive format, which is
a directory structure organized by sourceId/year/month/day/argus.data.files.every.5.minutes.

  rasplit -M time 5m -S argusHost:port \
          -w /path/to/the/archive/\$srcid/%Y/%m/%d/argus.%Y.%m.%d.%H.%M.%S

This can be run as a daemon using the “-d” option, or using something like launchd ...

This will put argus data into files so that you can process them when you like.
There are other tools, like rastream.1 that also maybe useful, but lets start with this.

Be sure and install a rarc file in your home directory as .rarc

   cp /path/to/argus-clients-distribution/support/Config/rarc ~/.rarc

This will give you the opportunity to define what you want printed by default, etc…
In your new ~/.rarc, set the RA_FIELD_SPECIFIER variable to change the dur field to the width you like.

If you want to find long lived flows, where the flow was active at least every X seconds, you will use racluster.1 with a racluster.conf file to specify an idle timeout period for aggregation.  If the flow isn’t active in X seconds, racluster.1 will quite aggregating and flush the record.

To configure this, you will want to use a racluster.conf file, to specify the idle timeout period for aggregation. My assumption is that 2600 seconds is the period of time ???  So if a flow is not
talking within 2600 seconds, it is not of interest ????

Create a /tmp/racluster.conf file with this line in it:

filter=""  model="saddr daddr proto sport dport"  status=0 idle=2600 

   racluster -f /tmp/racluster.conf -R /path/to/the/archive/srcid/year/month/day -w - - ip | \
         ra -w /tmp/racluster.srcid.year.month.day - dur gt 2600

That should generate your result.
This causes racluster.1 to use the configuration file, read all the argus files in the archive for a specific day, filter for ipv4 and ipv6 flows, and pipe that into ra.1, which writes out records that have a duration greater than 2600.

Many will take the output and aggregate again, throwing away the source port, in order
to get a feeling for the relationships, rather than the specific transactions:

   racluster -m srcid saddr daddr proto dport -r /tmp/racluster.srcid.year.month.day

That will give you a good starting point for looking at long sessions, rather than just long connections.

Or you may be interested in CIDR based aggregation.  If you’re interested in long lived relationships between you and remote sites:

   racluster -m srcid saddr/24 daddr/24 -r /tmp/racluster.srcid.year.month.day -w - | \
   rasort -m dur - dur gt 2600 and bytes gt 200 and con

In this call you will get some flows that have actual protocols and port numbers in the printed fields, because aggregation is object preserving, by default.  If there is a proto and port number, its because all the records that were merged together all had the same proto and port numbers.

Just some ideas of what you can do.  If you have any questions, don’t hesitate to send more email to the list.

Carter

> On May 4, 2015, at 5:33 PM, Noman Muneer <nomanmuneer at gmail.com> wrote:
> 
> Hi,
> 
> I am running Argus in Security Onion and I am having trouble with creating a query for the following task :
> 
> I need to find persistent connections on our network that have been up for an extended amount of time (1 day) and have been transmitting data intermittently over an interval of time (the interval being specified by management).
> 
> I had initially tried to make the script using Bro but ran into issues with some limitations of that platform. I then realized that Argus would be a much better solution as i can query the session data and pull the information. Unfortunately I have limited experience with Argus which has resulted in a bit of frustration when crafting the query.
> 
> What I have thus far : 
> 
> Because, for some reason, Argus is not writing live data to argus.out I have decided to run the query on older log files... so every day the query will be run on the previous days log.
> 
> racluster -Mnorep -r /etc/nsm/sensor_data/argus/2015-05-01.log - "ip" -w - | ra -s +dur:15 - "dur gt 2600"
> 
> Please note the above query is very heavily inspired by the input of a gent from the security onion mailing list. 
> 
> Any help or guidance you are able to provide in this matter will be greatly appreciated indeed.
> 
> Kind Regards,
> Muneer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150505/1c47956e/attachment.bin>

More information about the argus mailing list