Radium identify TLS handshakes?

Carter Bullard carter at qosient.com
Thu Mar 15 19:44:04 EDT 2018 

Hey Jim,
You don’t want to use packet filters, unless you want argus to generate flow records only for TLS negotiation traffic, and that is not really what you’re interested in, as normal legitimate 443 traffic will have TLS negotiations.   So you just want to inspect the flows that are using tcp port 443 and find some anomalous ones .... So argus is running and radium is collecting on the localhost … assuming you aren’t storing your argus records in an archive … connect to radium using ra.1 

    ra -S localhost - tcp and port 443

This will print out all the status records for traffic using tcp port 443.  If you want the records for out going only ....  for me, I’m running in a 10.1 network, my filter would be ....

   ra -S localhost - tcp and port 443 and not dst net 10.1.0.0/16

This will give you all the outgoing flows that are using tcp port 443, which should be TLS … both successful and unsuccessful.  If you’re looking for incomplete attempts, i.e. they didn’t get in … then the packet count will be less than a full negotiation, what is it … 12 from src and 11 from the dot, I can’t remember ... lets assume 12 from either direction ...

   ra -S localhost - tcp and port 443 and not dst net 10.1.0.0/16 and pkts lt 12

Because argus generates flow status records, which means you’ll get multiple flow records for long live flows, you will want to be looking at the first phase of the TLS tcp connection, and you should be looking for the TCP handshake as well,  so be sure and add some tcpflags so that you get the syn in the specific flow record ….

   ra -S localhost - tcp and port 443 and syn and not dst net 10.1.0.0/16 and pkts lt 12

You don’t want to include the synack in the filter, because you are also interested in hosts that access remote hosts using tcp port 443 that reject the connection, because there is not service on the port, and because many failed TLS negotiations are reset by the far end, you can look for a RST if you think that will help …

   ra -S localhost - tcp and port 443 and syn and reset and not dst net 10.1.0.0/16 and pkts lt 12

Depending on where your argus is in the network, you maybe able to see all outgoing traffic, and call will print, in near realtime, all the candidate attempts by your local end systems to access external addresses on tcp port 443, looking for incomplete TLS negotiation attempts.  You may need to tweak it for your purposes, but something like this should do it.

You may find that small status flows make this strategy not as useful as you would like, so in that case you would want to store all the 443 traffic into a file,

   ra -S localhost -w file - tcp and port 443 and not dst net 10.1.0.0/16

After the end of the day, cluster the data to merge all the status records together, and then look for small tcp port 443 flows … they will be the ones you’re interested in …

   racluster -r file -w - | ra -r - - pkts lt 12

OK, probably more than you were looking for.  If none of this works for you, send email and we can figure it out ….

Carter


On Mar 15, 2018, at 6:42 PM, James A. Robinson <jim.robinson at gmail.com <mailto:jim.robinson at gmail.com>> wrote:

> Hi,
> 
> I've a need to identify hosts initiating outgoing TLS connections.  It's a lot of hosts that I need to examine (around a thousand), and I'm worried about the amount of disk that will consume if I just gather the argus data from all of them.
> 
> Is there a way to filter the radium data such that I can just capture the minimal fact of "host X initiated a TLS connection to host Y"?
> 
> Looking over the man page I saw there is a RADIUM_FILTER option that can take the same sort of filtering parameters as tcpdump.  On stackoverflow there is a discussion about capturing just the initial part of a TLS conversation:
> 
> https://stackoverflow.com/questions/39624745/capture-only-ssl-handshake-with-tcpdump <https://stackoverflow.com/questions/39624745/capture-only-ssl-handshake-with-tcpdump>
> 
> If I run tcpdump and apply the following expression:
> 
> tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)
> 
> It seems to do what I want, it shows a bit of activity for each outgoing TLS connection I make, rather than all the packets.  Is there a way to use something similar to this expression in RADIUM_FILTER to capture just the initial handshake?  I tried adding it wholesale
> 
> RADIUM_FILTER="tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)"
> 
> but radium didn't register any activity, whereas I do see activity when I filter on the simpler expression just looking at the port:
> 
> RADIUM_FILTER="tcp port 443"
> 
> This is on a pair of Linux systems running argus and radium 3.0-8.
> 
> Jim
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180315/9f2b122a/attachment.html>

More information about the argus mailing list