[ARGUS] recording tls sni from tls handshake client hello
Carter Bullard
carter at qosient.com
Thu Apr 18 09:13:42 EDT 2024
Hey Nikolay,
In argus, parsing of protocol content above the transport layer is done outside of the argus sensor, using the content capture feature.
This ‘offload’ approach has been an important design strategy for the argus sensor and has enabled argus to run 100Gbps+ with modest hardware for over 10 years now.
Programs like radump.1 are provided as examples for how to parse the captured content to extract whatever might be there.
Extracted flow ‘ metadata ' can be put back into the flow record as a label, (using programs like ralabel.1) and this has worked quite.
Argus-3.x allowed for a constant amount of content capture for all flows. In argus-5.0, we’ve extended the content capture feature to add protocol specific capture based on the flow spec. So you can change the amount of captured content based on address, protocol or port(s), using the argus.conf file. This is designed primarily for control plane protocols to capture all the content for rip, ospf, isis, dns, arp, dhcp, ldap, bonjour, whatever or any non-IP traffic. This approach can be used for any protocol.
The v5.0.0 branch of the clients have radns.1 which decodes the flow capture content and extracts the DNS query and response data. We have rarp, radhcp, and there are open source programs to process isis routing traffic flows using these techniques.
For TLS we would write a ratls.1 which could do the same thing for TLS flows.
If we can figure out how manage the amount of content to capture for the TLS handshake, we can use the same approach to extract the SNI, cert, options, etc and put any of them back into the flow record as a label. (You would do this for cloud-based streaming systems so that down stream analytics, like a SIEM, can see all the good stuff, so to speak, with good performance).
Argus is aware of TLS specific headers, as the keystroke detection algorithm wants to start after the TLS negotiation is finished.
So, we could put complete TLS header capture into argus-5.0, without a lot of effort.
Now this generates some issues for general argus operation, as the max payload content capture is around 256K bytes per flow record. There is a lot more TLS than control plane right now, so you’ll want to add some smarts to argus-clients so they can throw the TLS header capture away if it’s not needed.
The new argus-5.0 code is here:
Argus - https://github.com/openargus/argus
Clients - https://github.com/openargus/clients
Both the server and the clients have a v5.0.0 branch that has the new features and support.
v5.0.0 is in testing, so grab it and see if it works, and we can add TLS specific things there.
Carter
> On Apr 18, 2024, at 5:26 AM, Nikolya <sitrix at camheds.net> wrote:
>
> Hi
>
> I'm not practical with argus and really want to
> keep statistics of tls sni usage per ip.
> sni - https://datatracker.ietf.org/doc/html/rfc4366#section-3.1
>
> With grep -irE '(tls|sni|ssl)' on argus It seems there is no sni parser.
> Will such data be available on argus or maybe it already is ?
>
> --
> WBR Nikolay
> _______________________________________________
> argus mailing list
> argus at qosient.com
> https://pairlist1.pair.net/mailman/listinfo/argus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20240418/b25a2851/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1385 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20240418/b25a2851/attachment.bin>
More information about the argus
mailing list