3 Sep 2010 08:44
3 Sep 2010 21:11
Re: [argus]how can i get all the tcp syn request
Paul Schmehl <pschmehl_lists <at> tx.rr.com>
2010-09-03 19:11:56 GMT
2010-09-03 19:11:56 GMT
--On Friday, September 03, 2010 14:44:37 +0800 shallwe19 <shallwe19 <at> gmail.com> wrote: > > sorry to interrupt you ,but will anybody tell me ,how can i get all the tcp > syn request . > it seems ,when i run " ra -ZS xxx",i got some udp request > > anyone can help me ? ra -Zs xxx" -- -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson
3 Sep 2010 22:29
Re: [argus]how can i get all the tcp syn request
Carter Bullard <carter <at> qosient.com>
2010-09-03 20:29:01 GMT
2010-09-03 20:29:01 GMT
Hey Guys, To get just tcp flows that had the syn: ra -ZS xxx - syn To get tcp flows that had the syn or the synack argus states: ra -ZS xxx - syn or synack To get flows that had tcp flags ack and push: ra - ack and push The "Z" flag by itself just modifies how the "state" field is printed. Carter On Sep 3, 2010, at 3:11 PM, Paul Schmehl wrote: > --On Friday, September 03, 2010 14:44:37 +0800 shallwe19 <shallwe19 <at> gmail.com> wrote: > >> >> sorry to interrupt you ,but will anybody tell me ,how can i get all the tcp >> syn request . >> it seems ,when i run " ra -ZS xxx",i got some udp request >> >> anyone can help me ? > > ra -Zs xxx" > > -- > Paul Schmehl, Senior Infosec Analyst > As if it wasn't already obvious, my opinions > are my own and not those of my employer. > ******************************************* > "It is as useless to argue with those who have > renounced the use of reason as to administer > medication to the dead." Thomas Jefferson > >
6 Sep 2010 14:32
rasplit reports file exists when using argus-udp
Terry Burton <tez <at> terryburton.co.uk>
2010-09-06 12:32:32 GMT
2010-09-06 12:32:32 GMT
Hi Carter, I've noticed that rasplit exits with a "file exists" error when it is the endpoint of a argus-udp connection: $ rasplit -X -S argus-udp://127.0.0.1:10598 -M time 5m -w /srv/argus/flows/%Y-%m-%d/\$srcid-%H:%M:%S.arg rasplit[31677]: 12:50:05.076745 ArgusWriteNewLogfile(/srv/argus/flows/2010-09-06/0.0.0.0-12:45:00.arg, 0xfffac820) fwrite error File exists This doesn't cause me any significant problems since I am able to insert a radium -S argus-udp://<...> -P <...> and attach rasplit to this using argus-tcp. (In this case the application is a set of multicast logging servers.) Thanks, Terry
6 Sep 2010 22:15
Argus TopN
Keir Novik <novik <at> sfu.ca>
2010-09-06 20:15:16 GMT
2010-09-06 20:15:16 GMT
What's the best way to do a TopN report (bytes per IP address) in Argus 3? In Argus 2 I would do
$ ramon -M TopN -n -s bytes -r file |head
StartTime Addr InPkt OutPkt InBytes OutBytes
2005-04-11 08:17:13 197.0.1.1 816971 395562 1132802297 22705854
2005-04-11 10:17:15 1.0.12.15 28536 61199 1543399 85490108
2005-04-11 09:30:06 1.0.12.5 25119 52212 1358400 73443503
2005-04-11 09:56:37 1.0.12.11 21878 45413 1182885 63713137
2005-04-11 10:39:30 1.0.12.19 22040 44806 1191633 63260385
2005-04-11 09:24:27 1.0.12.4 15251 30746 824536 43076452
2005-04-11 08:55:28 1.0.12.1 16233 30346 877564 42943674
2005-04-11 10:06:41 1.0.12.13 14598 30647 789762 42933338
2005-04-11 09:38:26 1.0.12.8 14286 30553 772436 42723656
In Argus 3, the thoughts I've had are
(a) use "racount - host a.b.c.d" for each IP address in turn, which is fine for a few IP addresses but doesn't
scale, or
(b) use "racluster -m daddr - dst net a.b.c.d/e", "racluster -m saddr - src net a.b.c.d/e", and write a
script of my own to add up the results.
but is there a better way?
Regards,
Keir
7 Sep 2010 02:12
Re: Argus TopN
<carter <at> qosient.com>
2010-09-07 00:12:27 GMT
2010-09-07 00:12:27 GMT
Hey Keir,
The rmon functions are now in all the clients, and TopN is done using racluster() and rasort().
$ racluster -m saddr -M rmon -r file - ip | rasort -m bytes -s stime saddr spkts dpkts sbytes dbytes | head
If you have any problems, send email,
Carter
Carter
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: Keir Novik <novik <at> sfu.ca>
Sender: argus-info-bounces+carter=qosient.com <at> lists.andrew.cmu.edu
Date: Mon, 6 Sep 2010 13:15:16
To: Argus<argus-info <at> lists.andrew.cmu.edu>
Subject: [ARGUS] Argus TopN
What's the best way to do a TopN report (bytes per IP address) in Argus 3? In Argus 2 I would do
$ ramon -M TopN -n -s bytes -r file |head
StartTime Addr InPkt OutPkt InBytes OutBytes
2005-04-11 08:17:13 197.0.1.1 816971 395562 1132802297 22705854
2005-04-11 10:17:15 1.0.12.15 28536 61199 1543399 85490108
2005-04-11 09:30:06 1.0.12.5 25119 52212 1358400 73443503
2005-04-11 09:56:37 1.0.12.11 21878 45413 1182885 63713137
2005-04-11 10:39:30 1.0.12.19 22040 44806 1191633 63260385
2005-04-11 09:24:27 1.0.12.4 15251 30746 824536 43076452
2005-04-11 08:55:28 1.0.12.1 16233 30346 877564 42943674
2005-04-11 10:06:41 1.0.12.13 14598 30647 789762 42933338
2005-04-11 09:38:26 1.0.12.8 14286 30553 772436 42723656
In Argus 3, the thoughts I've had are
(a) use "racount - host a.b.c.d" for each IP address in turn, which is fine for a few IP addresses but doesn't
scale, or
(b) use "racluster -m daddr - dst net a.b.c.d/e", "racluster -m saddr - src net a.b.c.d/e", and write a
script of my own to add up the results.
but is there a better way?
Regards,
Keir
7 Sep 2010 12:10
Re: [argus]how can i get all the tcp syn request
shallwe19 <shallwe19 <at> gmail.com>
2010-09-07 10:10:22 GMT
2010-09-07 10:10:22 GMT
Thanks for your help ,but it seems
the problem have not been solved.
All the data of argus is stored in mysql
database, I want to get all the syn packages from the mysql database
.
I take a test, I did a syn scan at a
host(192.168.11.25) with NMAP using -sS options in another
host(192.168.19.14) . At the same
time, using tcpdump in the target host ,I see all the
package are syn package , but in the mysql db ,i see all the package are marked
with RST. Is there any mistake of argus when it put the data to
mysql.
There are the output of tcpdumo below.
01:14:32.215260 IP 192.168.19.14.54903 > 192.168.11.25.19101: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215261 IP 192.168.19.14.54903 > 192.168.11.25.427: S 878641122:878641122(0) win 3072 <mss 1460>
01:14:32.215307 IP 192.168.19.14.54903 > 192.168.11.25.10012: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215414 IP 192.168.19.14.54903 > 192.168.11.25.9009: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215460 IP 192.168.19.14.54903 > 192.168.11.25.19101: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215544 IP 192.168.19.14.54903 > 192.168.11.25.4445: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215607 IP 192.168.19.14.54903 > 192.168.11.25.3869: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215683 IP 192.168.19.14.54903 > 192.168.11.25.10012: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215746 IP 192.168.19.14.54903 > 192.168.11.25.4445: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215747 IP 192.168.19.14.54903 > 192.168.11.25.992: S 878641122:878641122(0) win 3072 <mss 1460>
01:14:32.215801 IP 192.168.19.14.54903 > 192.168.11.25.543: S 878641122:878641122(0) win 2048 <mss 1460>
There is the output image from the mysql database below ,if you
do not see the image ,you can see it in the attachment.
Is there any way can I get all the syn package from the
mysql db ? Thank you all very much !
2010-09-07
shallwe19
发件人: Carter Bullard
发送时间: 2010-09-04 04:29:06
收件人: Paul Schmehl
抄送: shallwe19; argus-info
主题: Re: [ARGUS] [argus]how can i
get all the tcp syn request
Hey Guys,
To get just tcp flows that had the syn:
ra -ZS xxx - syn
To get tcp flows that had the syn or the synack argus states:
ra -ZS xxx - syn or synack
To get flows that had tcp flags ack and push:
ra - ack and push
The "Z" flag by itself just modifies how the "state" field is printed.
Carter
On Sep 3, 2010, at 3:11 PM, Paul Schmehl wrote:
> --On Friday, September 03, 2010 14:44:37 +0800 shallwe19 <shallwe19 <at> gmail.com> wrote:
>
>>
>> sorry to interrupt you ,but will anybody tell me ,how can i get all the tcp
>> syn request .
>> it seems ,when i run " ra -ZS xxx",i got some udp request
>>
>> anyone can help me ?
>
> ra -Zs xxx"
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
>
>
7 Sep 2010 13:58
Re: [argus]how can i get all the tcp syn request
<carter <at> qosient.com>
2010-09-07 11:58:05 GMT
2010-09-07 11:58:05 GMT
You should print the records to stdout and visually inspect what will go into the DB, so that you can understand how to query the data. The "-Z" option will change the format of the "state" field to expose some of the state, and you can also print the stcpflags, and dtcpflags, if that is important.
You can find all the records you are looking for with rasql(), but the performance will not be optimal, as rasql() will be doing the fltering.
Carter
You can find all the records you are looking for with rasql(), but the performance will not be optimal, as rasql() will be doing the fltering.
Carter
Sent from my Verizon Wireless BlackBerry
From: "shallwe19" <shallwe19 <at> gmail.com>
Date: Tue, 7 Sep 2010 18:10:22 +0800
To: Carter Bullard<carter <at> qosient.com>; Paul Schmehl<pschmehl_lists <at> tx.rr.com>
Cc: argus-info<argus-info <at> lists.andrew.cmu.edu>
Subject: Re: Re: [ARGUS] [argus]how can i get all the tcp syn request
Thanks for your help ,but it seems
the problem have not been solved.
All the data of argus is stored in mysql
database, I want to get all the syn packages from the mysql database
.
I take a test, I did a syn scan at a
host(192.168.11.25) with NMAP using -sS options in another
host(192.168.19.14) . At the same
time, using tcpdump in the target host ,I see all the
package are syn package , but in the mysql db ,i see all the package are marked
with RST. Is there any mistake of argus when it put the data to
mysql.
There are the output of tcpdumo below.
01:14:32.215260 IP 192.168.19.14.54903 > 192.168.11.25.19101: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215261 IP 192.168.19.14.54903 > 192.168.11.25.427: S 878641122:878641122(0) win 3072 <mss 1460>
01:14:32.215307 IP 192.168.19.14.54903 > 192.168.11.25.10012: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215414 IP 192.168.19.14.54903 > 192.168.11.25.9009: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215460 IP 192.168.19.14.54903 > 192.168.11.25.19101: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215544 IP 192.168.19.14.54903 > 192.168.11.25.4445: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215607 IP 192.168.19.14.54903 > 192.168.11.25.3869: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215683 IP 192.168.19.14.54903 > 192.168.11.25.10012: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215746 IP 192.168.19.14.54903 > 192.168.11.25.4445: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215747 IP 192.168.19.14.54903 > 192.168.11.25.992: S 878641122:878641122(0) win 3072 <mss 1460>
01:14:32.215801 IP 192.168.19.14.54903 > 192.168.11.25.543: S 878641122:878641122(0) win 2048 <mss 1460>
There is the output image from the mysql database below ,if you
do not see the image ,you can see it in the attachment.
Is there any way can I get all the syn package from the
mysql db ? Thank you all very much !
2010-09-07
shallwe19
发件人: Carter Bullard
发送时间: 2010-09-04 04:29:06
收件人: Paul Schmehl
抄送: shallwe19; argus-info
主题: Re: [ARGUS] [argus]how can i
get all the tcp syn request
Hey Guys,
To get just tcp flows that had the syn:
ra -ZS xxx - syn
To get tcp flows that had the syn or the synack argus states:
ra -ZS xxx - syn or synack
To get flows that had tcp flags ack and push:
ra - ack and push
The "Z" flag by itself just modifies how the "state" field is printed.
Carter
On Sep 3, 2010, at 3:11 PM, Paul Schmehl wrote:
> --On Friday, September 03, 2010 14:44:37 +0800 shallwe19 <shallwe19 <at> gmail.com> wrote:
>
>>
>> sorry to interrupt you ,but will anybody tell me ,how can i get all the tcp
>> syn request .
>> it seems ,when i run " ra -ZS xxx",i got some udp request
>>
>> anyone can help me ?
>
> ra -Zs xxx"
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
>
>
8 Sep 2010 04:16
Re: [argus]how can i get all the tcp syn request
shallwe19 <shallwe19 <at> gmail.com>
2010-09-08 02:16:20 GMT
2010-09-08 02:16:20 GMT
OK , does it meen that the data in
mysql is not correct , the output of rasql is the real package ?
Thank you very much ,I will have a
try.
By the way ,compared to blackberry
,I prefer iphone.
2010-09-08
shallwe19
发件人: carter
发送时间: 2010-09-07 19:58:17
收件人: shallwe19; Paul Schmehl
抄送: Argus
主题: Re: Re: [ARGUS] [argus]how
can i get all the tcp syn request
You should print the records to stdout and
visually inspect what will go into the DB, so that you can understand how to
query the data. The "-Z" option will change the format of the "state" field to
expose some of the state, and you can also print the stcpflags, and dtcpflags,
if that is important.
You can find all the records you are looking for with rasql(), but the performance will not be optimal, as rasql() will be doing the fltering.
Carter
You can find all the records you are looking for with rasql(), but the performance will not be optimal, as rasql() will be doing the fltering.
Carter
Sent from my Verizon Wireless BlackBerry
From: "shallwe19" <shallwe19 <at> gmail.com>
Date: Tue, 7 Sep 2010 18:10:22 +0800
To: Carter Bullard<carter <at> qosient.com>; Paul
Schmehl<pschmehl_lists <at> tx.rr.com>
Cc: argus-info<argus-info <at> lists.andrew.cmu.edu>
Subject: Re: Re: [ARGUS] [argus]how can i get all the tcp syn
request
Thanks for your help ,but it seems
the problem have not been solved.
All the data of argus is stored in mysql
database, I want to get all the syn packages from the mysql database
.
I take a test, I did a syn scan at a
host(192.168.11.25) with NMAP using -sS options in another
host(192.168.19.14) . At the same
time, using tcpdump in the target host ,I see all the
package are syn package , but in the mysql db ,i see all the package are marked
with RST. Is there any mistake of argus when it put the data to
mysql.
There are the output of tcpdumo below.
01:14:32.215260 IP 192.168.19.14.54903 > 192.168.11.25.19101: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215261 IP 192.168.19.14.54903 > 192.168.11.25.427: S 878641122:878641122(0) win 3072 <mss 1460>
01:14:32.215307 IP 192.168.19.14.54903 > 192.168.11.25.10012: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215414 IP 192.168.19.14.54903 > 192.168.11.25.9009: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215460 IP 192.168.19.14.54903 > 192.168.11.25.19101: S 878641122:878641122(0) win 4096 <mss 1460>
01:14:32.215544 IP 192.168.19.14.54903 > 192.168.11.25.4445: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215607 IP 192.168.19.14.54903 > 192.168.11.25.3869: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215683 IP 192.168.19.14.54903 > 192.168.11.25.10012: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215746 IP 192.168.19.14.54903 > 192.168.11.25.4445: S 878641122:878641122(0) win 2048 <mss 1460>
01:14:32.215747 IP 192.168.19.14.54903 > 192.168.11.25.992: S 878641122:878641122(0) win 3072 <mss 1460>
01:14:32.215801 IP 192.168.19.14.54903 > 192.168.11.25.543: S 878641122:878641122(0) win 2048 <mss 1460>
There is the output image from the mysql database below ,if you
do not see the image ,you can see it in the attachment.
Is there any way can I get all the syn package from the
mysql db ? Thank you all very much !
2010-09-07
shallwe19
发件人: Carter Bullard
发送时间: 2010-09-04 04:29:06
收件人: Paul Schmehl
抄送: shallwe19; argus-info
主题: Re: [ARGUS] [argus]how can i
get all the tcp syn request
Hey Guys,
To get just tcp flows that had the syn:
ra -ZS xxx - syn
To get tcp flows that had the syn or the synack argus states:
ra -ZS xxx - syn or synack
To get flows that had tcp flags ack and push:
ra - ack and push
The "Z" flag by itself just modifies how the "state" field is printed.
Carter
On Sep 3, 2010, at 3:11 PM, Paul Schmehl wrote:
> --On Friday, September 03, 2010 14:44:37 +0800 shallwe19 <shallwe19 <at> gmail.com> wrote:
>
>>
>> sorry to interrupt you ,but will anybody tell me ,how can i get all the tcp
>> syn request .
>> it seems ,when i run " ra -ZS xxx",i got some udp request
>>
>> anyone can help me ?
>
> ra -Zs xxx"
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
>
>
8 Sep 2010 05:19
Re: rasplit reports file exists when using argus-udp
Carter Bullard <carter <at> qosient.com>
2010-09-08 03:19:10 GMT
2010-09-08 03:19:10 GMT
Hey Terry, Thanks, found the bug, and will be in the next set of clients. Carter On Sep 6, 2010, at 8:32 AM, Terry Burton wrote: > Hi Carter, > > I've noticed that rasplit exits with a "file exists" error when it is > the endpoint of a argus-udp connection: > > $ rasplit -X -S argus-udp://127.0.0.1:10598 -M time 5m -w > /srv/argus/flows/%Y-%m-%d/\$srcid-%H:%M:%S.arg > rasplit[31677]: 12:50:05.076745 > ArgusWriteNewLogfile(/srv/argus/flows/2010-09-06/0.0.0.0-12:45:00.arg, > 0xfffac820) fwrite error File exists > > This doesn't cause me any significant problems since I am able to > insert a radium -S argus-udp://<...> -P <...> and attach rasplit to > this using argus-tcp. > > (In this case the application is a set of multicast logging servers.) > > > Thanks, > > Terry >
RSS Feed