Radium identify TLS handshakes?
James A. Robinson
jim.robinson at gmail.com
Thu Mar 15 18:42:23 EDT 2018
Hi,
I've a need to identify hosts initiating outgoing TLS connections. It's a
lot of hosts that I need to examine (around a thousand), and I'm worried
about the amount of disk that will consume if I just gather the argus data
from all of them.
Is there a way to filter the radium data such that I can just capture the
minimal fact of "host X initiated a TLS connection to host Y"?
Looking over the man page I saw there is a RADIUM_FILTER option that can
take the same sort of filtering parameters as tcpdump. On stackoverflow
there is a discussion about capturing just the initial part of a TLS
conversation:
https://stackoverflow.com/questions/39624745/capture-only-ssl-handshake-with-tcpdump
If I run tcpdump and apply the following expression:
tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)
It seems to do what I want, it shows a bit of activity for each outgoing
TLS connection I make, rather than all the packets. Is there a way to use
something similar to this expression in RADIUM_FILTER to capture just the
initial handshake? I tried adding it wholesale
RADIUM_FILTER="tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)"
but radium didn't register any activity, whereas I do see activity when I
filter on the simpler expression just looking at the port:
RADIUM_FILTER="tcp port 443"
This is on a pair of Linux systems running argus and radium 3.0-8.
Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180315/fb460d5a/attachment.html>
More information about the argus
mailing list