racluster for DNS

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Sun Jun 5 12:38:41 EDT 2016 

Hey Raphael,
OK, so I’ve gone through the code, and there is a problem …

You should be defining the model as “none”, my suggestion was completely incorrect, and I shouldn’t make suggestions from my cell-phone !!!  By not defining a model, you inherit the default model rather than getting an empty model, and the status=0 is completely wrong.  Sorry for poor advice.

However, there is a bug in the aggregation parser where a “none” model returns a NULL aggregator.  While this works for the general case, this is incorrect for complex racluster configurations, and why you will get a parse error.

I will fix this and send you a distribution for testing …
Sorry for the inconvenience !!!
Carter
 

> On Jun 4, 2016, at 1:58 PM, Raphael Campos Silva <raphaelcampos.rp at gmail.com> wrote:
> 
> I just test version argus-clients-3.0.8.2 (the last one) and the problems seems the same.
> 
> Using just 'ra':
> % ra -r cleaned_dump.argus - port 53
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
>    21:53:13.609647  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        240   CON
>    21:53:14.135221  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        224   CON
>    21:53:15.079598  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        368   CON
>    21:53:16.315496  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        209   CON
> 
> And with racluster:
> % racluster -r cleaned_dump.argus -f /etc/racluster.conf - port 53
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
>    21:53:13.609647  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        8       1041   CON
> 
> % cat /etc/racluster.conf
> filter="port 53"        status=0 idle=0
> filter=""               model="saddr daddr proto dport sport"
> 
> If I try 'racluster' using "-m none", it works, but it can't merge http flows (like I said in the first email)
> % racluster -r cleaned_dump.argus -m none - port 53
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
>    21:53:13.609647  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        240   CON
>    21:53:14.135221  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        224   CON
>    21:53:15.079598  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        368   CON
>    21:53:16.315496  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        209   CON
> 
> 
> % racluster -r cleaned_dump.argus -m none - port 80
>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
>    21:53:13.831738  e           tcp    192.168.100.106.1041      ->      		  A.http          7        714   CON
>    21:53:14.720590  e           tcp    192.168.100.106.1042      ->       		  B.http         14       3222   RST
>    21:53:15.095575  e           tcp    192.168.100.106.1044      ->     		  C.http          9       2383   RST
>    21:53:19.139461  e           tcp    192.168.100.106.1041      ->      		  A.http          2        114   FIN
> 
> If you prefer, I can send you the pcap file without problem.
> 
> Tks,
> 
> 2016-06-03 17:46 GMT-03:00 Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>:
> Hmmm, well, to be complete, grab the latest code to make sure we’re working with the same version.  I just uploaded argus-clients-3.0.8.2 to the site.
> 
>    http://qosient.com/argus/src/argus-clients-latest.tar.gz <http://qosient.com/argus/src/argus-clients-latest.tar.gz> 
> 
> If that doesn’t work, then we’ll have to fix this as a bug.
> 
> Carter
> 
>> On Jun 3, 2016, at 4:40 PM, Raphael Campos Silva <raphaelcampos.rp at gmail.com <mailto:raphaelcampos.rp at gmail.com>> wrote:
>> 
>> Yeah, there're just two filters in "racluster.conf":
>> filter="port 53"        status=0 idle=0
>> 
>> filter=""               model="saddr daddr proto dport sport"
>> 
>> About the pcap, it's ok too.
>> 
>> 2016-06-03 15:55 GMT-03:00 Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>:
>> And your racluster.conf only has the 2 lines in it ...  no other rules !!!
>> Carter
>> 
>> On Jun 3, 2016, at 1:21 PM, Raphael Campos Silva <raphaelcampos.rp at gmail.com <mailto:raphaelcampos.rp at gmail.com>> wrote:
>> 
>>> Hello,
>>> 
>>> I checked the file "cleaned_dump.argus" and seems to be OK. The output from "ra -r cleaned_dump.argus - port 53" is the following:
>>> 
>>>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
>>>    21:53:13.609647  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        240   CON
>>>    21:53:14.135221  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        224   CON
>>>    21:53:15.079598  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        368   CON
>>>    21:53:16.315496  e           udp    192.168.100.106.1040     <->      192.168.100.1.domain        2        209   CON
>>> 
>>> Tks,
>>> 
>>> 
>>> 2016-06-03 10:01 GMT-03:00 Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>:
>>> Hey Raphael,
>>> Check that your "cleaned_dump.argus" isn't already cleaned up too much, and make sure that your racluster.conf only has 2 lines in it.  So many times, the tools do the correct thing, just not what you expect it to do.
>>> 
>>> What does the "cleaned_dump.argus" file have in it for domain traffic ?
>>>    ra -r cleaned_dump - port 53
>>> 
>>> Carter
>>> 
>>> On Jun 3, 2016, at 4:46 AM, Raphael Campos Silva <raphaelcampos.rp at gmail.com <mailto:raphaelcampos.rp at gmail.com>> wrote:
>>> 
>>>> Carter, tks for the answer.
>>>> 
>>>> I tried this but didn't work for me.
>>>> 
>>>> % tail -n 2 /etc/racluster.conf 
>>>> filter="port 53"        status=0 idle=0
>>>> 
>>>> filter=""               model="saddr daddr proto dport sport"
>>>> 
>>>> 
>>>> 
>>>> 
>>>> % racluster -f /etc/racluster.conf -r cleaned_dump.argus
>>>> 
>>>> 
>>>> 192.168.100.106.1040     <->      192.168.100.1.domain        8       1041
>>>> 
>>>> If I set status and idle to 1, sometimes it works, but not always.
>>>> 
>>>> 
>>>> 
>>>> Tks.
>>>> 
>>>> 
>>>> 2016-06-02 18:04 GMT-03:00 Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>:
>>>> Hey Raphael,
>>>> Try this racluster.conf …
>>>> 
>>>>    filter="port 53"   status=0  idle=0
>>>>    filter=""              model="saddr daddr proto dport sport “
>>>> 
>>>> and run racluster as;
>>>> 
>>>>    racluster -f racluster.conf -r file
>>>> 
>>>> The status=0 tells racluster.1 not to merge the records together.
>>>> How does that work for you ????
>>>> 
>>>> Carter
>>>> 
>>>> > On Jun 2, 2016, at 4:18 PM, Raphael Campos Silva via Argus-info <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>> wrote:
>>>> >
>>>> > Hello guys,
>>>> >
>>>> > I'm using racluster for aggregate some http flows, but I don't want aggregate DNS flows. By default, racluster aggregate all dns flows, like this:
>>>> > % racluster -r cleaned_dump.argus
>>>> >
>>>> > udp    192.168.100.106.1041     <->      192.168.100.1 <tel:192.168.100.1>.domain        8       1041   CON
>>>> >
>>>> >
>>>> >
>>>> > For aggregate http, I just used the following filter (with -f option) and everthing is O.K.:
>>>> >
>>>> > filter="tcp"            model="saddr daddr proto dport sport"
>>>> >
>>>> > I've tried something like this for DNS, but is not working (returns ArgusParseAggregator: ArgusNewAggregator returned NULL):
>>>> > filter="udp and dst port 53"           model="none"
>>>> >
>>>> > If I don't use the option -f with racluster and pass "-m none" to the program, all DNS are correct, but the http flows isn't aggregate.
>>>> >
>>>> > 192.168.100.106.1041     <->      192.168.100.1.domain        2        240
>>>> >
>>>> >
>>>> > 192.168.100.106.1042      ->        A.http          7        714
>>>> >
>>>> >
>>>> > 192.168.100.106.1041     <->      192.168.100.1.domain        2        224
>>>> >
>>>> >
>>>> > 192.168.100.106.1041     <->      192.168.100.1.domain        2        368
>>>> >
>>>> >
>>>> > 192.168.100.106.1041     <->      192.168.100.1.domain        2        209
>>>> >
>>>> >
>>>> > 192.168.100.106.1042      ->        A.http          2        114
>>>> >
>>>> > I read the racluster manual and tried some configs but I couldn't find a solution for this. Probably I miss something.
>>>> > Any suggestion is wellcome.
>>>> >
>>>> > Tks.
>>>> > --
>>>> > Raphael Campos Silva
>>>> > Ciência da Computação - IBILCE Rio Preto - SP
>>>> > Knowledge, exploit it.
>>>> >
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Raphael Campos Silva
>>>> Ciência da Computação - IBILCE Rio Preto - SP
>>>> Knowledge, exploit it.
>>>>  
>>> 
>>> 
>>> 
>>> -- 
>>> Raphael Campos Silva
>>> Ciência da Computação - IBILCE Rio Preto - SP
>>> Knowledge, exploit it.
>>>  
>> 
>> 
>> 
>> -- 
>> Raphael Campos Silva
>> Ciência da Computação - IBILCE Rio Preto - SP
>> Knowledge, exploit it.
>>  
> 
> 
> 
> 
> -- 
> Raphael Campos Silva
> Ciência da Computação - IBILCE Rio Preto - SP
> Knowledge, exploit it.
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160605/32c004b5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6285 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160605/32c004b5/attachment.bin>

More information about the argus mailing list