Field "state" from Argus (ra)
David Edelman
dedelman at iname.com
Thu May 10 18:04:30 EDT 2018
The general rule is that the underscore is the divider between the flags that were set in packets originating from the source (left of the underscore) and the destination (right of the underscore) Source and Destination may not be what you expect them to be but they are always correctly associated with the values of the fields saddr and daddr.
A_FRA Source sent at least one ACK the Destination sent at least one each FIN, RST, ACK
FSRPAEC_FSRPA Source sent at least one each FIN SYN RST PUSH ACK ECE and CWR Destination sent at least one each of FIN SYN RST PUSH ACK
RPA_SA RST PUSH ACK _ SYN ACK
SPAC_FSRPA SYN PUSH ACK CWR _ FIN SYN RST PUSH ACK
FSPA_ Source sent FIN SYN PUSH ACK and no flags were seen from the destination
_FA No flags were seen from the source the destination sent FIN ACK
--Dave
From: Argus-info [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of John Gerth
Sent: Thursday, May 10, 2018 4:58 PM
To: Drew Dixon <dwdixon at umich.edu>; Mauricio Reis <reismc at gmail.com>
Cc: Argus <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Field "state" from Argus (ra)
With regards to -Zb and TCP, the _ separates the flags seen for src packets from those seen for dst. For both, it's the logical OR of flags seen in this flow reporting interval for that direction.
Many of the other states, e.g. ECO, URH, TXD are for ICMP flows
In general, the default state values for TCP and UDP, I feel are intended to convey a generic summary for this reporting interval. Argus does a pretty good job of synthesizing these, but, especially for UDP, this can't be perfect as there's no guarantee that argus saw the stream from end-to-end. For the specific case of UDP, I also see both REQ and INT values. In either case it seems to denote only src packets for this interval.
On 5/10/18 6:37 AM, Drew Dixon wrote:
I would also be interested in more information on understanding the default state field values, however FWIW I've been using the -Zb option to display the state field values, I've preferred that option as I didn't really intuitively understand the default state values all that well:
-Z <s|d|b> Modify status field to represent actual TCP flag values. <'s'rc | 'd'st | 'b'oth>. I've always used the "both" option (-Zb) when using this flag. I've noticed even when using -Zb some flows may show "REQ" in the State field, this is typically shown for UDP flows in our experiences, however this is contrary to the ra man page documentation (see REQ|INT section below) for UDP flows I still see "REQ" for almost all udp flows rather than "INT" as it states in the man page (and below). The characters that can be present in the status field when this is enabled are:
'F' - Fin
'S' - Syn
'R' - Reset
'P' - Push
'A' - Ack
'U' - Urgent Pointer
'7' - Undefined 7th bit set
'8' - Undefined 8th bit set
According to the man page this is what REQ means:
REQ|INT (requested|initial)
This indicates that this is the initial state report for a transaction and is seen only when the argus-server is in DETAIL mode. For TCP connections this is REQ, indicating that a connection is being requested. For the connectionless protocols, such as UDP, this is INT. (this has not been the case for me)
I've also noticed when using the -Zb flag there are some seemingly random underscore's in the state field which I do not understand and would also be interested in better understanding, for example "FSPA_" or "SPA_" or "SRPA_" ...I never really understood what the underscores were all about?
Thank you,
-Drew
On Thu, May 10, 2018 at 11:38 AM, Mauricio Reis <reismc at gmail.com <mailto:reismc at gmail.com> > wrote:
I'm working on the binetflow extension files available on the CTU-13 site (link <https://mcfp.weebly.com/the-ctu-13-dataset-a-labeled-dataset-with-botnet-normal-and-background-traffic.html> ), which was generated by Argus with the "ra" option according to what I was able to verify (see link <http://dx.doi.org/10.1016/j.cose.2014.05.011> ).
I'd like to understand the values of the "state" field. The documentation I accessed (link <http://qosient.com/argus/man/man1/ra.1.pdf> ) describes only some of the values I found (for example: ECO, ECR, IRQ, IRR, MAS, MHR, MRQ, MSR, NNA, NNS, NRA, NRS, PAR, PTB, RED, RTA, RTS, SRC, TSR, TST, TXD, URCUT, URF, URFIL, URH, URHPRO, URHTOS, URHU, URISO, URN, URNPRO, URNTOS, URNU, URP, URPRE, URS). But I could not understand the meaning of values like: FRPA, FSRAEC, RPA, SRA, etc - and combinations like: A_FRA, FSRPAEC_FSRPA, RPA_SA, SPAC_FSRPA.
Would you help me?
Att.,
Mauricio Reis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180510/ec6788a6/attachment.html>
More information about the argus
mailing list