I have been reading Real Digital Forensics and came across the recommended use of Argus ("Audit Record Generation and Utilization System"). Argus is fast, wide and deep network analysis of pcap files. It took me some time to compile and start to make sense of it, although there is a relevant and clever wiki page and a good collection of recent articles explaining research, university and real world use. My discussion below concerns Argus auditing functionality.
Argus dumps your pcap file into a compressed argus formatted file which carries every piece of session information an inquisitive NSM forensic could possibly want from a network trace including time-slices, TCP options, anonymization, geolocation, and graphing . Here are some basic examples I walked myself through. The first step is to write the pcap file to an argus file using 'argus'.
/usr/local/sbin/argus -d -r 08Mar1142PST2010.in.1268074842 -w 08Mar1142PST2010.in.1268074842.argus
Next I use 'ra' (read argus) to read the packet data. You can specify fields and bpf style filters. Here I specify (append) a filter ('ip proto 6') for only TCP packets (e.g grep TCP /etc/protocols):
ra -n -r 08Mar1142PST2010.in.1268074842.argus - ip proto 6 | less
19:08:09.660222 e s tcp 207.44.254.106.56813 -> 192.168.0.12.3246 3 186 REQ
19:12:01.707471 e tcp 204.236.155.168.12200 -> 192.168.0.12.3246 1 60 REQ
19:32:55.259094 e tcp 204.236.155.168.12200 -> 192.168.0.12.3246 1 60 REQ
19:33:44.995964 e tcp 221.192.199.35.12200 -> 192.168.0.12.8000 1 60 REQ
19:34:36.506022 e tcp 221.192.199.35.12200 -> 192.168.0.12.80 1 60 REQ
19:53:52.914418 e tcp 204.236.155.168.12200 -> 192.168.0.12.3246 1 60 REQ
Here I specify source address, destination port and connection state fields with the '-s' option and sort the result by source address and destination port before using 'uniq -c' to rank those fields.
ra -n -s saddr dport state -r 08Mar1142PST2010.in.1268074842.argus - ip proto 6 | sort -k1,2 -nr | uniq -c | sort -nr | less
149 221.195.73.86 8000 REQ
100 192.168.0.12 80 ACC
81 222.45.112.59 2479 REQ
80 222.45.112.59 8085 REQ
80 222.45.112.59 3246 REQ
76 204.236.155.168 3246 REQ
I am using 'rasort' to something similar here but appending grep to filter only those source addresses with a connected state.
rasort -n -s saddr dport state -r 08Mar1142PST2010.in.1268074842.argus - ip proto 6 | sort -k1 -nr | uniq -c | sort -nr | grep CON | less
14 74.125.19.19 19412 CON
14 74.125.19.17 20073 CON
13 85.13.200.108 19216 CON
13 85.13.200.108 19024 CON
13 74.125.19.83 19145 CON
13 74.125.19.83 18961 CON
I am not quite clear when to use 'rasort' versus 'ra' with sort and uniq appended. There is also 'ratop' . May take some time to sort out the best scripts for top talkers. Like 'ra', I can tell 'rasort' to include specific field (-s switch) and then specify the field(s) to sort by (-m switch). I am still using 'uniq -c | sort -r' .
rasort -s saddr dport proto bytes stat -m dport saddr -r 08Mar1142PST2010.in.1268074842.argus | grep -v -f file | uniq -c | sort -r | less
149 221.195.73.86 8000 tcp 60 REQ
81 222.45.112.59 2479 tcp 60 REQ
80 222.45.112.59 8085 tcp 60 REQ
80 222.45.112.59 3246 tcp 60 REQ
76 204.236.155.168 3246 tcp 60 REQ
76 222.45.112.59 9415 tcp 60 REQ
So here I apply a bpf filter for dst port 22 and the '-z' to see TCPstate changes :
rasort -nn -s saddr dport proto bytes state -m dport saddr -z -r 08Mar1142PST2010.in.1268074842.argus - dst port 22 | uniq -c | sort -nr
3 125.141.195.190 22 6 62 s
3 114.202.247.235 22 6 62 s
3 58.217.255.103 22 6 62 s
3 97.163.189.33 22 6 62 s
2 94.158.184.183 22 6 62 s
2 61.151.246.140 22 6 62 s
Argus, baby!! Fast, wide and deep!!
Historic blog. No longer active. See Also http://horizontal-logic.blogspot.com for more Powershell code. AS of 2/27/2014 all Scripts are PS 4.0.
Saturday, June 19, 2010
Monday, June 14, 2010
the 'find' command for security...Part I
These are some meditations on using the *NIX 'find' command for security...
Labels:
*NIX find
Wednesday, June 2, 2010
time stamping windows directory and file names
This is something I have blogged about before, but I thought it worth posting again. Special characters need to be eliminated to create a time stamp that can be used as a Windows file name. The `date` program in Unix has a number of very useful options for this. Windows cmd shell is more limited. This is what I use:
:: rtime.cmd
@echo off
set realdate=%date:/=.%
set realdate=%realdate:* =%
set realtime=%time::=.%
set realtime=%realtime:* =%
set timestamp=%realdate%.%realtime%
echo %timestamp%
This command script uses 'variable substitution' from the set command to remove special characters (e.g. : / ) unacceptable as Windows file or directory names . This line:
set timestamp=%realdate%.%realtime%
can be changed as needed for more CSV compatible logging:
set timestamp="%realdate%","%realtime%"
Once cached, it runs pretty fast and is suitable for lightweight logging:
$ time /cygdrive/C/Security/rtime.cmd
06.02.2010.11.04.05.99
real 0m0.202s
user 0m0.015s
sys 0m0.031s
$ time /cygdrive/C/Security/rtime.cmd
06.02.2010.11.04.12.65
real 0m0.062s
user 0m0.000s
sys 0m0.015s
$ time /cygdrive/C/Security/rtime.cmd
06.02.2010.11.04.14.68
real 0m0.062s
user 0m0.000s
sys 0m0.015s
:: rtime.cmd
@echo off
set realdate=%date:/=.%
set realdate=%realdate:* =%
set realtime=%time::=.%
set realtime=%realtime:* =%
set timestamp=%realdate%.%realtime%
echo %timestamp%
This command script uses 'variable substitution' from the set command to remove special characters (e.g. : / ) unacceptable as Windows file or directory names . This line:
set timestamp=%realdate%.%realtime%
can be changed as needed for more CSV compatible logging:
set timestamp="%realdate%","%realtime%"
Once cached, it runs pretty fast and is suitable for lightweight logging:
$ time /cygdrive/C/Security/rtime.cmd
06.02.2010.11.04.05.99
real 0m0.202s
user 0m0.015s
sys 0m0.031s
$ time /cygdrive/C/Security/rtime.cmd
06.02.2010.11.04.12.65
real 0m0.062s
user 0m0.000s
sys 0m0.015s
$ time /cygdrive/C/Security/rtime.cmd
06.02.2010.11.04.14.68
real 0m0.062s
user 0m0.000s
sys 0m0.015s
Labels:
logging,
rtime.cmd,
windows times-stamping
Subscribe to:
Posts (Atom)