Saturday, June 19, 2010


I have been reading Real Digital Forensics and came across the recommended use of Argus ("Audit Record Generation and Utilization System"). Argus is fast, wide and deep network analysis of pcap files.  It took me some time to compile and start to make sense of it, although there is a relevant and clever wiki page and a good collection of recent articles explaining research, university and real world use. My discussion below concerns Argus auditing functionality.

Argus dumps your pcap file into a compressed argus formatted file which carries every piece of session information an inquisitive NSM forensic could possibly want from a network trace including time-slices, TCP options, anonymization, geolocation, and graphing . Here are some basic examples I walked myself through. The first step is to write the pcap file to an argus file using 'argus'.

/usr/local/sbin/argus -d -r -w

Next I use 'ra' (read argus)  to read the packet data.  You can specify fields and bpf style filters. Here I specify (append) a filter ('ip proto 6') for only TCP packets  (e.g grep TCP /etc/protocols):
ra -n -r - ip proto 6 | less
19:08:09.660222 e s tcp -> 3 186 REQ
19:12:01.707471 e tcp -> 1 60 REQ
19:32:55.259094 e tcp -> 1 60 REQ
19:33:44.995964 e tcp -> 1 60 REQ
19:34:36.506022 e tcp -> 1 60 REQ
19:53:52.914418 e tcp -> 1 60 REQ

Here I specify source address, destination port and connection state fields with the '-s' option and sort the result by source address and destination port before using 'uniq -c' to rank those fields.

ra -n -s saddr dport state -r - ip proto 6 | sort -k1,2 -nr | uniq -c | sort -nr | less
149 8000 REQ
100 80 ACC
81 2479 REQ
80 8085 REQ
80 3246 REQ
76 3246 REQ

I am using 'rasort' to something similar here but appending grep to filter only those source addresses with a connected state.

 rasort -n -s saddr dport state -r - ip proto 6 | sort -k1 -nr | uniq -c | sort -nr | grep CON | less
14 19412 CON
14 20073 CON
13 19216 CON
13 19024 CON
13 19145 CON
13 18961 CON

I am not quite clear when to use 'rasort'  versus 'ra' with sort and uniq appended.  There is also 'ratop' . May take some time to sort out the best scripts for top talkers. Like 'ra', I can tell 'rasort' to include specific field (-s switch) and then specify  the field(s) to sort by (-m  switch). I am still using 'uniq -c | sort -r' .

rasort -s saddr dport proto bytes stat -m dport saddr  -r | grep -v -f file | uniq -c | sort -r | less

149 8000 tcp 60 REQ
81 2479 tcp 60 REQ
80 8085 tcp 60 REQ
80 3246 tcp 60 REQ
76 3246 tcp 60 REQ
76 9415 tcp 60 REQ

So here I apply a bpf filter for dst port 22 and the '-z' to see TCPstate changes :
rasort -nn -s saddr dport proto bytes state -m dport saddr -z -r - dst port 22 | uniq -c | sort -nr

3 22 6 62 s
3 22 6 62 s
3 22 6 62 s
3 22 6 62 s
2 22 6 62 s
2 22 6 62 s
Argus, baby!! Fast, wide and deep!!

Monday, June 14, 2010

the 'find' command for security...Part I

These are some meditations on using the *NIX 'find' command for security...

Wednesday, June 2, 2010

time stamping windows directory and file names

This is something I have blogged about before, but I thought it worth posting again.  Special characters need to be eliminated to create a time stamp that can be used as a Windows file name. The `date` program in Unix has a number of very useful options for this.  Windows cmd shell is more limited. This is what I use:

:: rtime.cmd
@echo off

set realdate=%date:/=.%
set realdate=%realdate:* =%
set realtime=%time::=.%
set realtime=%realtime:* =%
set timestamp=%realdate%.%realtime%
echo %timestamp%

This command script uses 'variable substitution' from the set command to remove special characters (e.g. :  / ) unacceptable as Windows file or directory names . This line:
set timestamp=%realdate%.%realtime%

can be changed as needed for more CSV compatible logging:
set timestamp="%realdate%","%realtime%"

Once cached, it runs pretty fast and is suitable for lightweight logging:

$ time /cygdrive/C/Security/rtime.cmd

real    0m0.202s
user    0m0.015s
sys     0m0.031s

$ time /cygdrive/C/Security/rtime.cmd

real    0m0.062s
user    0m0.000s
sys     0m0.015s

$ time /cygdrive/C/Security/rtime.cmd

real    0m0.062s
user    0m0.000s
sys     0m0.015s