Radium identify TLS handshakes?
James A. Robinson
jim.robinson at gmail.com
Thu Mar 15 18:42:23 EDT 2018
I've a need to identify hosts initiating outgoing TLS connections. It's a
lot of hosts that I need to examine (around a thousand), and I'm worried
about the amount of disk that will consume if I just gather the argus data
from all of them.
Is there a way to filter the radium data such that I can just capture the
minimal fact of "host X initiated a TLS connection to host Y"?
Looking over the man page I saw there is a RADIUM_FILTER option that can
take the same sort of filtering parameters as tcpdump. On stackoverflow
there is a discussion about capturing just the initial part of a TLS
If I run tcpdump and apply the following expression:
tcp port 443 and (tcp[((tcp & 0xf0) >> 2)] = 0x16)
It seems to do what I want, it shows a bit of activity for each outgoing
TLS connection I make, rather than all the packets. Is there a way to use
something similar to this expression in RADIUM_FILTER to capture just the
initial handshake? I tried adding it wholesale
RADIUM_FILTER="tcp port 443 and (tcp[((tcp & 0xf0) >> 2)] = 0x16)"
but radium didn't register any activity, whereas I do see activity when I
filter on the simpler expression just looking at the port:
RADIUM_FILTER="tcp port 443"
This is on a pair of Linux systems running argus and radium 3.0-8.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the argus