Hack 64 Audit Network Traffic

Previous page
Table of content
Next page

figs/moderate.gif figs/hack64.gif

Use Argus to monitor your network and to keep an audit trail of your traffic.

Wouldn't it be nice if you could keep a complete record of everything that happened on your network? It would certainly help to track down problems and would be invaluable in the event of a security incident, but it would just take up too much space to keep all of that data around. The next best thing would be to keep a log of all the packets, but not actually keep the data. You can do this with Argus (http://www.qosient.com/argus/).

Argus, or the Audit Record Generation and Utilization System, is a tool that can log network transactions in a variety of ways and can even collect performance metrics on every connection that it is able to see. Argus also contains several utilities that can make queries against the logs, so you can easily extract the information you need. These tools allow you to generate ASCII-, RMON-, or XML-formatted information from an Argus log file. Argus also provides a Perl interface for accessing its log files, so you can easily write custom scripts to make use of the data it collects.

To set up Argus, you'll first need to download the source distribution and unpack it. Then change into the directory that it creates:

$ tar xfz argus-2.0.5.tar.gz $ cd argus-2.0.5

To compile Argus, run this command:

$ ./configure && make

After compilation has finished, you can install Argus by becoming root and running this command:

# make install

To get a quick demo of Argus, run it and then let it collect some data for a little while:

# argus -d -e `hostname` -w /tmp/arguslog

This command will start argus in daemon mode and have it write its logs to /tmp/argus.

After letting it collect some data, try querying it with the ra command. This will show you an ASCII representation of the packets that argus has logged:

$ ra -r /tmp/arguslog 12 Jan 04 05:42:48 udp plunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT 12 Jan 04 05:43:09 udp 192.168.0.250.snmptrap -> 255.255.255.255.snmptrap INT 12 Jan 04 05:43:15 udp print.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm INT 12 Jan 04 05:43:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT 12 Jan 04 05:43:28 nvl 0:c0:2:57:98:79 -> Broadcast INT 12 Jan 04 05:43:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT 12 Jan 04 05:43:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT 12 Jan 04 05:44:19 udp kryten.nnc.56581 -> 255.255.255.255.2222 TIM 12 Jan 04 05:43:34 udp sunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT 12 Jan 04 05:44:08 arp plunder.nnc who-has sirius.nnc INT 12 Jan 04 05:44:08 udp plunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT 12 Jan 04 05:44:15 udp print.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm INT 12 Jan 04 05:45:06 udp sunder.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm TIM 12 Jan 04 05:40:26 man pkts 734 bytes 75574 drops 0 CON 12 Jan 04 05:44:28 nvl 0:c0:2:57:98:79 -> Broadcast INT 12 Jan 04 05:44:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT 12 Jan 04 05:44:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT 12 Jan 04 05:44:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT 12 Jan 04 05:45:08 udp plunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT 12 Jan 04 05:45:09 tcp kryten.nnc.54176 ?> colossus.nnc.ssh EST 12 Jan 04 05:45:15 udp print.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm INT

This is just a few minutes of logs from one host, but it is stored in a very compact manner. In fact, during testing, a whole day's worth of logs consumed only 1.4 MB!

The ra command can also take tcpdump-style filters so that you can query the logs for packets that match a specific host, protocol, port, or any number of other characteristics.

For instance, if you wanted to query the logs for all packets sent either to or from the host named kryten, you could used a command similar to this one:

$ ra -r /tmp/argus - "host kryten" 12 Jan 04 09:26:34  udp  kryten.nnc.55689  ->  255.255.255.255.2222  TIM 12 Jan 04 09:26:36  tcp  kryten.nnc.54176  ?>  linux-vmm.nnc.ssh  EST 12 Jan 04 09:27:37  tcp  kryten.nnc.54176  ?>  linux-vmm.nnc.ssh  EST 12 Jan 04 09:28:34  udp  kryten.nnc.55691  ->  255.255.255.255.2222  TIM 12 Jan 04 09:28:05  icmp  kryten.nnc  <->  linux-vmm.nnc  ECO 12 Jan 04 09:28:06  icmp  kryten.nnc  <->  linux-vmm.nnc  ECO 12 Jan 04 09:29:06  tcp  kryten.nnc.54176  ?>  linux-vmm.nnc.ssh  EST 12 Jan 04 09:30:34  udp  kryten.nnc.55692  ->  255.255.255.255.2222  TIM 12 Jan 04 09:32:34  udp  kryten.nnc.55693  ->  255.255.255.255.2222  TIM 12 Jan 04 09:33:06  tcp  kryten.nnc.54176  ?>  linux-vmm.nnc.ssh  EST 12 Jan 04 09:34:34  udp  kryten.nnc.55694  ->  255.255.255.255.2222          12 Jan 04 09:53:44  tcp  kryten.nnc.54176  ?>  linux-vmm.nnc.ssh  EST

You can also generate a new Argus log file containing only the results of your query by using the -w option to ra and specifying a file to write the results to.

To get XML output from Argus, you can use the raxml utility to make queries, much in the same way as you can with ra. For instance, here's the first record returned by using the previous query for all packets that matched the hostname of kryten:

$ raxml -r /tmp/arguslog - "host kryten" <ArgusFlowRecord  ArgusSourceId = "192.168.0.41" SequenceNumber = "3"   Cause = "Status" StartDate = "2004-01-12" StartTime = "09:25:26"  StartTimeusecs = "319091" LastDate  = "2004-01-12"    LastTime = "09:25:32"  LastTimeusecs = "521982"  Duration = "6.202891" TransRefNum =  "0">     <MACAddrs SrcAddr = "0:a:95:c7:2b:10" DstAddr = "0:c:29:e2:2b:c1" />     <Flow> <IP SrcIPAddr = "192.168.0.60" DstIPAddr = "192.168.0.41"       Proto = "tcp" Sport = "56060" Dport = "22" IpId = "27b8" /> </Flow>     <FlowAttrs SrcTTL = "64" DstTTL = "64" SrcTOS = "10" DstTOS = "10" />     <ExtFlow> <TCPExtFlow TCPState = "EST" TCPOptions = "TIME"       SynAckuSecs = "0" AckDatauSecs = "0" >               <TCPExtMetrics  SrcTCPSeqBase = "4204580547"                 SrcTCPAckBytes = "527" SrcTCPBytes = "528"                 SrcTCPRetrans = "0" SrcTCPWin = "65535" SrcTCPFlags = "PA"                DstTCPSeqBase = "3077608383" DstTCPAckBytes = "1135"                DstTCPBytes = "992" DstTCPRetrans = "0" DstTCPWin = "9792"                DstTCPFlags = "PA" />               </TCPExtFlow>     </ExtFlow>     <Metrics SrcCount = "24" DstCount = "17" SrcBytes = "2112"       DstBytes = "2258"  SrcAppBytes = "528" DstAppBytes = "1136" />   </ArgusFlowRecord>

As you can see, Argus keeps track of much more information than it would seem if you were just going by the output generated by ra. This is where Argus really shines, because it can store such a large amount of information about your network traffic in a small amount of space. In addition, Argus makes it easy to convert this information into other formats, such as XML, which makes it easy to write applications that can understand the data.


Previous page
Table of content
Next page
Network Security Hacks
Network Security Hacks: Tips & Tools for Protecting Your Privacy
ISBN: 0596527632
EAN: 2147483647
Year: 2006
Pages: 158
Authors: Andrew Lockhart
BUY ON AMAZON
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Sap Bw: a Step By Step Guide for Bw 2.0
Cultural Imperative: Global Trends in the 21st Century
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy