Field "state" from Argus (ra)

Carter Bullard carter at qosient.com
Thu May 17 10:37:45 EDT 2018 

Mauricio,
Hmmm, these abbreviations for ICMP types are well documented in IETF and IANA documents, and have the standard meanings.  If they are of specific interest to you, I would recommend that you checkout IETF RFC 792 and 7279, which describe these in detail.  You will need the detail in order to make decisions on how to interprete flows that include them.

The ra* clients decode  icmp types by number and print strings using a table that is described in argus-clients/include/argus_util.h.

char *icmptypestr[ICMP_MAXTYPE] = {
   "ECR", "   ", "   ", "UR" , "SRC", "RED",
   "AHA", "   ", "ECO", "RTA", "RTS", "TXD",
   "PAR", "TST", "TSR", "IRQ", "IRR", "MAS",
   "MSR", "SEC", "ROB", "ROB", "ROB", "ROB",
   "ROB", "ROB", "ROB", "ROB", "ROB", "ROB",
   "TRC", "DCE", "MHR", "WAY", "IAH", "MRQ",
   "MRP", "DNQ", "DNP", "SKP", "PHO", "NRS",
   "NRA", "NNS", "NNA", "PTB",
};

So, an “AHA”  is icmp type 6, which is ‘Alternate Host Address’.  This type has been deprecated and what that means will require that you do some serious research, as no one really knows that that was suppose to do.  But I have seen the type being used by interesting types of software.  

I can only assume that you are joking about ‘UNK’ not being documented, as “UNK” for me is universally considered “UNK”NOWN.  I hope that you can see the logic.

Carter

> On May 16, 2018, at 9:18 AM, Mauricio Reis <reismc at gmail.com> wrote:
> 
> The answers are helping a lot to clarify my doubts. But I also checked some omissions in the existing documentation:


> The following values of the "state" field for the icmp protocol are not documented: "AHA", "DCE", "DNP", "DNQ", "IAH", "MRP", "NNA", "PHO", "ROB", "RTA", "SEC", "SKP", "TRC", "UNK", "UR", "URO" and "WAY".
> The "UNK" value of the "state" field for the "icmp" protocol is not documented.
> The flags "C" (CWR) and "E" (ECE) for the "tcp" protocol were only presented in an email, but are not documented.
> I would like to know more details about these values from the "state" field I presented above.
> 
> Att.,
> Mauricio Reis
> 
> 2018-05-10 19:04 GMT-03:00 David Edelman <dedelman at iname.com <mailto:dedelman at iname.com>>:
> The general rule is that the underscore is the divider between the flags that were set in packets originating from the source (left of the underscore) and the destination (right of the underscore) Source and Destination may not be what you expect them to be but they are always correctly associated with the values of the fields saddr and daddr.
> 
>  
> 
> A_FRA           Source sent at least one ACK  the Destination sent at least one each FIN, RST, ACK
> 
> FSRPAEC_FSRPA Source sent at least one each FIN SYN RST PUSH ACK ECE and CWR  Destination sent at least one each of FIN SYN RST PUSH ACK
> 
> RPA_SA   RST  PUSH ACK _ SYN ACK
> 
> SPAC_FSRPA  SYN PUSH ACK CWR _ FIN SYN RST PUSH ACK
> 
> FSPA_            Source sent FIN SYN PUSH ACK and no flags were seen from the destination
> 
> _FA                 No flags were seen from the source the destination sent FIN ACK
> 
>  
> 
> --Dave
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> From: Argus-info [mailto:argus-info-bounces+dedelman <mailto:argus-info-bounces%2Bdedelman>=iname.com at lists.andrew.cmu.edu <mailto:iname.com at lists.andrew.cmu.edu>] On Behalf Of John Gerth
> Sent: Thursday, May 10, 2018 4:58 PM
> To: Drew Dixon <dwdixon at umich.edu <mailto:dwdixon at umich.edu>>; Mauricio Reis <reismc at gmail.com <mailto:reismc at gmail.com>>
> Cc: Argus <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>>
> Subject: Re: [ARGUS] Field "state" from Argus (ra)
> 
>  
> 
> With regards to -Zb and TCP, the _ separates the flags seen for src packets from those seen for dst.  For both, it's the logical OR of flags seen in this flow reporting interval for that direction.
> 
> Many of the other states, e.g. ECO, URH, TXD are for ICMP flows
> 
> In general, the default state values for TCP and UDP, I feel are intended to convey a generic summary for this reporting interval.  Argus does a pretty good job of synthesizing these, but, especially for UDP, this can't be perfect as there's no guarantee that argus saw the stream from end-to-end. For the specific case of UDP, I also see both REQ and INT values.  In either case it seems to denote only src packets for this interval.
> 
> On 5/10/18 6:37 AM, Drew Dixon wrote:
> 
> I would also be interested in more information on understanding the default state field values, however FWIW I've been using the -Zb option to display the state field values, I've preferred that option as I didn't really intuitively understand the default state values all that well:
> 
>  
> 
> -Z <s|d|b> Modify status field to represent actual TCP flag values. <'s'rc | 'd'st | 'b'oth>.  I've always used the "both" option (-Zb) when using this flag.  I've noticed even when using -Zb some flows may show "REQ" in the State field, this is typically shown for UDP flows in our experiences, however this is contrary to the ra man page documentation (see REQ|INT section below) for UDP flows I still see "REQ" for almost all udp flows rather than "INT" as it states in the man page (and below).   The characters that can be present in the status field when this is enabled are:
> 
>              'F' - Fin
>              'S' - Syn
>              'R' - Reset
>              'P' - Push
>              'A' - Ack
>              'U' - Urgent Pointer
>              '7' - Undefined 7th bit set
>              '8' - Undefined 8th bit set
> 
>  
> 
> According to the man page this is what REQ means:
> 
>  
> 
> REQ|INT (requested|initial)
> 
> This indicates that this is the initial state report for a transaction and is seen only when the argus-server is in DETAIL mode.  For TCP connections this is REQ, indicating that a connection is being requested.  For the connectionless protocols, such as UDP, this is INT. (this has not been the case for me)
> 
>  
> 
> I've also noticed when using the -Zb flag there are some seemingly random underscore's in the state field which I do not understand and would also be interested in better understanding, for example "FSPA_" or "SPA_" or "SRPA_" ...I never really understood what the underscores were all about?
> 
>  
> 
> Thank you,
> 
>  
> 
> -Drew
> 
>  
> 
> On Thu, May 10, 2018 at 11:38 AM, Mauricio Reis <reismc at gmail.com <mailto:reismc at gmail.com>> wrote:
> 
>  
> 
> I'm working on the binetflow extension files available on the CTU-13 site (link <https://mcfp.weebly.com/the-ctu-13-dataset-a-labeled-dataset-with-botnet-normal-and-background-traffic.html>), which was generated by Argus with the "ra" option according to what I was able to verify (see link <http://dx.doi.org/10.1016/j.cose.2014.05.011>).
> 
>  
> 
> I'd like to understand the values of the "state" field. The documentation I accessed (link <http://qosient.com/argus/man/man1/ra.1.pdf>) describes only some of the values I found (for example: ECO, ECR, IRQ, IRR, MAS, MHR, MRQ, MSR, NNA, NNS, NRA, NRS, PAR, PTB, RED, RTA, RTS, SRC, TSR, TST, TXD, URCUT, URF, URFIL, URH, URHPRO, URHTOS, URHU, URISO, URN, URNPRO, URNTOS, URNU, URP, URPRE, URS). But I could not understand the meaning of values like: FRPA, FSRAEC, RPA, SRA, etc - and combinations like: A_FRA, FSRPAEC_FSRPA, RPA_SA, SPAC_FSRPA.
> 
>  
> 
> Would you help me?
> 
>  
> 
> Att.,
> 
> Mauricio Reis
> 
>  
> 
>  
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180517/a7d0b649/attachment.html>

More information about the argus mailing list