Field "state" from Argus (ra)
Mauricio Reis
reismc at gmail.com
Wed May 16 09:18:17 EDT 2018
The answers are helping a lot to clarify my doubts. But I also checked some
omissions in the existing documentation:
- The following values of the "state" field for the icmp protocol are
not documented: "*AHA*", "*DCE*", "*DNP*", "*DNQ*", "*IAH*", "*MRP*", "
*NNA*", "*PHO*", "*ROB*", "*RTA*", "*SEC*", "*SKP*", "*TRC*", "*UNK*", "
*UR*", "URO" and "*WAY*".
- The "*UNK*" value of the "state" field for the "icmp" protocol is not
documented.
- The flags "C" (*CWR*) and "E" (*ECE*) for the "tcp" protocol were only
presented in an email, but are not documented.
I would like to know more details about these values from the "state" field
I presented above.
Att.,
Mauricio Reis
2018-05-10 19:04 GMT-03:00 David Edelman <dedelman at iname.com>:
> The general rule is that the underscore is the divider between the flags
> that were set in packets originating from the source (left of the
> underscore) and the destination (right of the underscore) Source and
> Destination may not be what you expect them to be but they are always
> correctly associated with the values of the fields saddr and daddr.
>
>
>
> A_FRA Source sent at least one ACK the Destination sent at
> least one each FIN, RST, ACK
>
> FSRPAEC_FSRPA Source sent at least one each FIN SYN RST PUSH ACK ECE and
> CWR Destination sent at least one each of FIN SYN RST PUSH ACK
>
> RPA_SA RST PUSH ACK _ SYN ACK
>
> SPAC_FSRPA SYN PUSH ACK CWR _ FIN SYN RST PUSH ACK
>
> FSPA_ Source sent FIN SYN PUSH ACK and no flags were seen from
> the destination
>
> _FA No flags were seen from the source the destination
> sent FIN ACK
>
>
>
> --Dave
>
>
>
>
>
>
>
>
>
>
>
> *From:* Argus-info [mailto:argus-info-bounces+dedelman=iname.com at lists.
> andrew.cmu.edu] *On Behalf Of *John Gerth
> *Sent:* Thursday, May 10, 2018 4:58 PM
> *To:* Drew Dixon <dwdixon at umich.edu>; Mauricio Reis <reismc at gmail.com>
> *Cc:* Argus <argus-info at lists.andrew.cmu.edu>
> *Subject:* Re: [ARGUS] Field "state" from Argus (ra)
>
>
>
> With regards to -Zb and TCP, the _ separates the flags seen for src
> packets from those seen for dst. For both, it's the logical OR of flags
> seen in this flow reporting interval for that direction.
>
> Many of the other states, e.g. ECO, URH, TXD are for ICMP flows
>
> In general, the default state values for TCP and UDP, I feel are intended
> to convey a generic summary for this reporting interval. Argus does a
> pretty good job of synthesizing these, but, especially for UDP, this can't
> be perfect as there's no guarantee that argus saw the stream from
> end-to-end. For the specific case of UDP, I also see both REQ and INT
> values. In either case it seems to denote only src packets for this
> interval.
>
> On 5/10/18 6:37 AM, Drew Dixon wrote:
>
> I would also be interested in more information on understanding the
> default state field values, however FWIW I've been using the -Zb option to
> display the state field values, I've preferred that option as I didn't
> really intuitively understand the default state values all that well:
>
>
>
> -Z <s|d|b> Modify status field to represent *actual TCP flag values*.
> <'s'rc | 'd'st | 'b'oth>. I've always used the "both" option (-Zb) when
> using this flag. I've noticed even when using -Zb some flows may show
> "REQ" in the State field, this is typically shown for UDP flows in our
> experiences, however this is contrary to the ra man page documentation (see
> REQ|INT section below) for UDP flows I still see "REQ" for almost all udp
> flows rather than "INT" as it states in the man page (and below). The
> characters that can be present in the status field when this is enabled are:
>
> 'F' - Fin
> 'S' - Syn
> 'R' - Reset
> 'P' - Push
> 'A' - Ack
> 'U' - Urgent Pointer
> '7' - Undefined 7th bit set
> '8' - Undefined 8th bit set
>
>
>
> According to the man page this is what REQ means:
>
>
>
> REQ|INT (requested|initial)
>
> This indicates that this is the initial state report for a transaction and
> is seen only when the argus-server is in DETAIL mode. For TCP connections
> this is REQ, indicating that a connection is being requested. *For the
> connectionless protocols, such as UDP, this is INT. (this has not been the
> case for me)*
>
>
>
> I've also noticed when using the -Zb flag there are some seemingly random
> underscore's in the state field which I do not understand and would also be
> interested in better understanding, for example "FSPA_" or "SPA_" or
> "SRPA_" ...I never really understood what the underscores were all about?
>
>
>
> Thank you,
>
>
>
> -Drew
>
>
>
> On Thu, May 10, 2018 at 11:38 AM, Mauricio Reis <reismc at gmail.com> wrote:
>
>
>
> I'm working on the binetflow extension files available on the CTU-13 site (
> link
> <https://mcfp.weebly.com/the-ctu-13-dataset-a-labeled-dataset-with-botnet-normal-and-background-traffic.html>),
> which was generated by Argus with the "ra" option according to what I was
> able to verify (see link <http://dx.doi.org/10.1016/j.cose.2014.05.011>).
>
>
>
> I'd like to understand the values of the "state" field. The documentation
> I accessed (link <http://qosient.com/argus/man/man1/ra.1.pdf>) describes
> only some of the values I found (for example: ECO, ECR, IRQ, IRR, MAS, MHR,
> MRQ, MSR, NNA, NNS, NRA, NRS, PAR, PTB, RED, RTA, RTS, SRC, TSR, TST, TXD,
> URCUT, URF, URFIL, URH, URHPRO, URHTOS, URHU, URISO, URN, URNPRO, URNTOS,
> URNU, URP, URPRE, URS). But I could not understand the meaning of values
> like: FRPA, FSRAEC, RPA, SRA, etc - and combinations like: A_FRA,
> FSRPAEC_FSRPA, RPA_SA, SPAC_FSRPA.
>
>
>
> Would you help me?
>
>
>
> Att.,
>
> Mauricio Reis
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180516/1a2b9e81/attachment.html>
More information about the argus
mailing list