Odd records issue
mike tancsa via Argus-info
argus-info at lists.andrew.cmu.edu
Wed Jan 11 10:29:58 EST 2017
On 1/10/2017 3:57 PM, David Edelman wrote:
> As a rule I always suggest that you start the troubleshooting session by adding -X as the first argument on the command line that starts Argus. This might solve the problem and then you know to look at *ALL* of the argus configuration files.
>
> Just a guess, the configuration parameter ARGUS_TUNNEL_DISCOVERY may be set to yes and have some impact. Since the default value is set to no killing the consumption of the configuration files may help.
Hi,
The challenge is that by displaying only the tunnel payload, I have no
way of finding out via argus what IP delivered that payload. Its also
inconsistent. With the botnet traffic, it saves the inner payload as a
record. with "normal" GRE traffic, it saves the transport GRE packet.
Tunnel Discovery is off.
eg, a tcpdump shows
10:22:19.945153 IP aa.bb.153.25 > xx.yy.xx.58: GREv1, call 10112, seq
24045, ack 28268, length 60: IP 10.0.0.210 > 224.0.0.22: igmp v3 report,
1 group record(s)
and argus shows
10:22:19 * gre xx.yy.xx.58 <->
aa.bb.153.25 14 13437 CON
But there is no mention in the argus file of the host 10.0.0.210. It
only seems to happen with the botnet generated GRE traffic.
---Mike
>
> --Dave
>
> -----Original Message-----
> From: Argus-info [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of mike tancsa via Argus-info
> Sent: Tuesday, January 10, 2017 1:55 PM
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Odd records issue
>
> OK, I figured this out. It seems the contents of GRE packets are being recorded by argus as if they are actual packets. Is there a way to flag these or keep these separate ?
>
> e.g. a tcpdump shows
> length 578: 220.133.125.107 > 206.51.25.216: GREv0, proto IPv4 (0x0800), length 544: 185.125.128.61.53714 > 112.93.217.129.37883: UDP, length 512
>
> % ra -nr border.arg -sproto:3,saddr,sport,daddr,dport,size - host
> 185.125.128.61
> Pro SrcAddr Sport DstAddr Dport
> udp 185.125.128.61.53714 112.93.217.129.37883
>
> Its nice that this is saved, but it would be good if it were treated as "special" or different from the actual packet on the wire.
>
> ---Mike
>
> On 1/10/2017 11:02 AM, mike tancsa via Argus-info wrote:
>> While I was trying to track down an issue with some unaccounted
>> packets, I noticed that argus was creating a lot of records that dont make sense.
>>
>> One one of my sensors, I changed the config so that I would record a
>> pcap. In theory, both files should show the same data, no ? Instead,
>> I have a LOT of addresses that are not in my network, and almost
>> always
>> 582 bytes.
>>
>> % ra -nr argus.out -s saddr,sport,daddr,dport, bytes:4 ,pkts:2,proto:3
>> - bytes 582 and pkts 1 | head -30
>> SrcAddr Sport DstAddr Dport TotB To Pro
>> 66.14.58.118.4710 165.57.97.129.62304 582 1 udp
>> 228.44.123.180.32215 130.71.80.142.169 582 1 udp
>> 42.80.37.245.64417 217.93.18.80.13594 582 1 udp
>> 42.80.37.245.64417 217.93.18.80.13594 582 1 udp
>> 184.111.255.119.46797 220.83.180.38.46450 582 1 udp
>> 208.20.172.166.10533 155.189.252.142.23409 582 1 udp
>> 87.96.180.21.42185 156.23.175.50.42394 582 1 udp
>> 135.215.238.69.41005 244.71.183.157.49514 582 1 udp
>> 42.118.169.234.64017 24.169.111.198.5837 582 1 udp
>> 62.150.25.153.2414 39.220.44.122.58128 582 1 udp
>> 113.20.11.165.45467 200.106.11.169.57598 582 1 udp
>> 172.180.78.96.51016 139.173.29.46.15019 582 1 udp
>> 172.180.78.96.51016 139.173.29.46.15019 582 1 udp
>> 44.122.117.130.20546 180.167.75.128.60420 582 1 udp
>> 44.122.117.130.20546 180.167.75.128.60420 582 1 udp
>> 235.102.137.81.59403 110.104.217.242.31414 582 1 udp
>> 235.102.137.81.59403 110.104.217.242.31414 582 1 udp
>> 52.15.123.178.12147 210.93.8.106.19146 582 1 udp
>> 52.15.123.178.12147 210.93.8.106.19146 582 1 udp
>> 68.195.206.107.19522 184.118.84.142.48695 582 1 udp
>> 173.129.21.3.5450 252.255.127.111.49931 582 1 udp
>> 173.129.21.3.5450 252.255.127.111.49931 582 1 udp
>> 94.187.10.197.3147 162.181.187.17.16443 582 1 udp
>> 208.189.73.229.33307 155.175.43.8.62169 582 1 udp
>> 115.98.69.100.4716 84.194.54.90.31643 582 1 udp
>> 181.61.176.121.25337 230.174.10.75.38614 582 1 udp
>> 17.126.194.240.59882 67.78.7.236.64742 582 1 udp
>> 68.209.4.147.38113 82.176.3.109.8904 582 1 udp
>> 68.209.4.147.38113 82.176.3.109.8904 582 1 udp
>>
>>
>> But looking at the pcap file AND a tcpdump of the interface, I never
>> see any such packets.
>>
>> % ls -l
>> total 3779656
>> drwxr-xr-x 2 root wheel - 512 Jan 10 10:03 .
>> drwxr-xr-x 3 root wheel - 3072 Jan 10 10:03 ..
>> -rw-r--r-- 1 root wheel - 207937088 Jan 10 10:57 argus.out
>> -rw-r--r-- 1 root wheel - 3661365248 Jan 10 10:57 packet.out
>>
>> % tcpdump -nr packet.out greater 580 and less 583 reading from file
>> packet.out, link-type EN10MB (Ethernet)
>>
>> % tcpdump -ner packet.out host 68.209.4.147 or host 17.126.194.240 or
>> host 235.102.137.81 reading from file packet.out, link-type EN10MB
>> (Ethernet)
>>
>> Any idea whats going on ?
>>
>> If I tcpdump the interface, it never sees any such traffic where as
>> argus implies there is a LOT
>>
>> % ra -nr argus.out -s stime,saddr,daddr - bytes 582 and pkts 1 | head
>> StartTime SrcAddr DstAddr
>> 10:03:46.217241 66.14.58.118 165.57.97.129
>> 10:03:46.536733 228.44.123.180 130.71.80.142
>> 10:03:47.724602 42.80.37.245 217.93.18.80
>> 10:03:47.724589 42.80.37.245 217.93.18.80
>> 10:03:49.187933 184.111.255.119 220.83.180.38
>> 10:03:53.051873 208.20.172.166 155.189.252.142
>> 10:03:57.551938 87.96.180.21 156.23.175.50
>> 10:04:00.120709 135.215.238.69 244.71.183.157
>> 10:04:02.452829 42.118.169.234 24.169.111.198
>>
>> Ra Version 3.0.8.2
>> Argus Version 3.0.8.2
>>
>>
>
>
>
More information about the argus
mailing list