[ARGUS] Argus v5.0.0 and ethernet address classes

Carter Bullard carter at qosient.com
Sat Jun 1 14:42:54 EDT 2024 

Gentle persons,
In support of a number of endpoint based NDR, anomaly detection and AI/ML methods, I’ve added a set of new printable fields.  In particular, we've added ethernet address class reporting to v5.0.0.

When tracking ethernet addresses for the emergence of new endpoints or services from within a modern LAN, you may encounter sets of transient / ephemeral / random ethernet addresses.  The transient ethernet addresses will most likely be Locally Administered unicast and multicast Layer 2 addresses that support mDNS and IPv6 use.  But … because they could also represent rogue devices, it is good to understand what classes of addresses are in use, and who is using them.

Ethernet classes don’t really come up very often. Until I started monitoring local LAN networks in depth, I wasn’t aware that my Apple laptops would generate and use 100’s of unique ethernet addresses a week.  And because VM’s are free to do quite a bit of magic when assigning their own Layer 2 addresses, getting a grip on your network inventory, and how it’s being used can be a job. And To figure out if a particular new active ethernet address is good or bad or a nothing burger address, you may need a little additional information.

Ethernet addresses can be universal or locally administered, unicast or multicast, and assigned using a Structured Local Address Plan (SLAP) which offers extended (ELI), standard dynamic (SAI), and “randomly or arbitrarily assigned” (AAI) ethernet address.   Wikipedia has a useful link … https://en.wikipedia.org/wiki/MAC_address .

I expected a bit of diversity in ethernet use in VMs and the cloud, which is true.  Because many vendors have elected to use stealthy strategies for polling, advertising and discovering services in a LAN, you will see quite a few AAI ethernet addresses at home and in the office, where an endpoint just makes up a random address.  This doesn’t violate any standards, so why not … but when trying to keep up with what is normal and abnormal in a LAN, what network am I attached to, etc … tracking all ethernet addresses and their expected uses is a plus. 

A reasonable rule of thumb is to track UAA addresses (universally administered addresses) as they are stable and recurring, and be mindful of AAI address use (SLAP Administratively Assigned) to make sure they conform to specific applications and services.

Argus clients can classify these addresses for you.  To print the class, in argus-clients v5.0.0:

   % ra -r argus.file -s +smacclass dmacclass


Here is a few seconds of output from one of my Mac workstations:

[carter at red clients]$ bin/ra -S localhost -s +smacclass dmacclass - far
                 StartTime        Dur      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  SrcPkts  DstPkts     SrcBytes     DstBytes State SrcMacCla DstMacCla 
2024/06/01.13:58:21.288030   0.000000  e           udp      192.168.1.125.5353      ->        224.0.0.251.5353          1        0          179            0   REQ       AAI       UAA
2024/06/01.13:58:21.288479   0.000000  e           udp fe80::14cc:fdb1:3*.5353      ->           ff02::fb.5353          1        0          199            0   REQ       AAI        LM
2024/06/01.13:58:21.516843   0.000000  e     A    igmp        192.168.1.1           ->    239.255.255.250               1        0           60            0   INT       UAA       UAA
2024/06/01.13:58:23.168296   0.000000  e     A    igmp       192.168.1.18           ->    239.255.255.250               1        0           60            0   REQ       UAA       UAA
2024/06/01.13:58:23.237963   0.000000  e           udp      192.168.1.131.43551     ->    239.255.255.250.1900          1        0          188            0   REQ       UAA       UAA
2024/06/01.13:58:23.579401   4.000230  e           udp      192.168.1.131.41763     ->    239.255.255.250.51200         3        0          366            0   REQ       UAA       UAA
2024/06/01.13:58:24.951140   4.135659  e           tcp      192.168.1.254.53136    <?>       192.168.1.49.22           14       11         1068         2418   CON       UAA       UAA
2024/06/01.13:58:25.576407   0.001573  e           udp       192.168.1.49.56909    <->        192.168.1.1.53            1        1           80           96   CON       UAA       UAA
2024/06/01.13:58:25.576450   0.018369  e           udp       192.168.1.49.56909    <->        192.168.1.1.53            1        1           80          141   CON       UAA       UAA
2024/06/01.13:58:26.008852   0.000000  e           udp       192.168.1.82.56700     ->    255.255.255.255.56700         1        0           78            0   INT       UAA        LM
2024/06/01.13:58:26.570577   0.000000  e     A    igmp       192.168.1.56           ->    239.255.255.250               1        0           60            0   INT       UAA       UAA
2024/06/01.13:58:28.238698   0.000000  e           udp      192.168.1.131.43551     ->    239.255.255.250.1900          1        0          188            0   REQ       UAA       UAA
2024/06/01.13:58:28.576957   0.000000  e     A    igmp        192.168.1.1           ->    239.255.255.250               1        0           60            0   INT       UAA       UAA
2024/06/01.13:58:29.580689   4.002305  e           udp      192.168.1.131.41763     ->    239.255.255.250.51200         3        0          366            0   REQ       UAA       UAA
2024/06/01.13:58:29.828903   0.000000  e     A    igmp      192.168.1.124           ->    239.255.255.250               1        0           60            0   REQ       UAA       UAA
2024/06/01.13:58:30.341605   4.629959  e           tcp      192.168.1.254.53136    <?>       192.168.1.49.22            7        7          462         2406   CON       UAA       UAA
2024/06/01.13:58:30.749881   0.000505  e           arp       192.168.1.49          who        192.168.1.1               1        1           42           60   CON       UAA       UAA
2024/06/01.13:58:31.582847   0.000000  e     A    igmp        192.168.1.1           ->    239.255.255.250               1        0           60            0   INT       UAA       UAA
2024/06/01.13:58:31.867784   0.000000  e     A    igmp      192.168.1.131           ->    239.255.255.250               1        0           60            0   REQ       UAA       UAA
2024/06/01.13:58:32.329653   0.000000  e           arp       192.168.1.36          who       192.168.1.36               1        0           60            0   INT       UAA        LM
2024/06/01.13:58:32.373457   0.000000  e           arp      192.168.1.123          who      192.168.1.123               1        0           60            0   INT       UAA        LM
2024/06/01.13:58:33.239647   0.000000  e           udp      192.168.1.131.43551     ->    239.255.255.250.1900          1        0          188            0   REQ       UAA       UAA

Here you see 3 different classes in action, in just 5-10 seconds.  An AAI address is being used to advertise services using mDNS (Bonjour, udp port 5353).  With unique AAI ethernet addresses being used on mDNS advertisements, it’s sometimes hard to know who is pushing name, port and address combinations to hosts on your network.  Tracking this is important at many levels, if you’re worried about LAN masquerade.

OK, there are other new fields in v5.0.0, and I’ll try to update before the release, to minimize the surprise, so to speak.

Suggestions, opinions, reactions, comments, are all welcome, of course.

Hope all is most excellent,

Carter


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20240601/15939fb4/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1385 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20240601/15939fb4/attachment-0001.bin>

More information about the argus mailing list