Monday, April 4, 2016

audit IP network transaction with argus

Argus is an IP transaction audit tool that categorizes IP packets into a specific protocol. Argus can reports on the transactions that it discovers in real time. I can run as a daemon or just write its transaction logs to stdout, and it reads packets directly from a network interface,  and  writes  the  transaction status  information  to  a log file or open socket connected to an argus client such as ra .  it can also read packet information from tcpdump , snoop or NLANR raw packet files.

We can view the statistic on the machine that run argus, or we can view it from remote pc, because it also support remote collection statistic feature.

 ***info***
interface to collect: eth0
ip: 192.168.202.23
port: 880

1- install argus-server and argus-client packages on ubuntu machine
 $ sudo apt-get install argus-server argus-client

2-  modify the configuration of argus-server (/etc/argus.conf) to the following
ARGUS_DAEMON=yes
ARGUS_DEBUG_LEVEL=0
ARGUS_MONITOR_ID=`hostname`
ARGUS_ACCESS_PORT=880
ARGUS_INTERFACE=eth0
ARGUS_SET_PID=no
ARGUS_GO_PROMISCUOUS=yes
ARGUS_FLOW_STATUS_INTERVAL=60
ARGUS_GENERATE_START_RECORDS=no
ARGUS_GENERATE_RESPONSE_TIME_DATA=no
ARGUS_GENERATE_JITTER_DATA=yes
ARGUS_GENERATE_MAC_DATA=yes
ARGUS_FILTER_OPTIMIZER=no
ARGUS_CAPTURE_DATA_LEN=0
ARGUS_BIND_IP="192.168.202.23"


3- restart the argus-server in order to make the new modification to take effect
$ sudo  service argus-server restart
Restarting network auditing daemon:
argus[37516]: client(/var/log/argus/argus.log) done.
argus[38807]: client done.
argus[53167]: argus: ArgusEstablishListen: bind() error
argus.


4- now we can read it from the pc that we we run the argus or on the remote pc as well

+ on local we can read from the log directly or access to the daemon
$ sudo  ra -r /var/log/argus/argus.log
04-04-16 07:19:39.894065           man               192.168.202.23  v2.0                                     1 0          0        0         0            0           STA
04-04-16 07:19:39.946966           tcp               192.168.202.23.22          ?>                192.168.202.1.38910      196      343       33136        30574       CON
04-04-16 07:19:40.211832           udp               192.168.202.23.3205        ->              255.255.255.255.3206       30       0         2460         0           INT
04-04-16 07:19:40.846797           arp               192.168.202.23          who-has               192.168.202.24          47       0         1974         0           INT
04-04-16 07:19:44.765043           tcp                192.168.202.1.39055       ?>               192.168.202.23.ssh        18       18        2412         1188        CON
04-04-16 07:19:46.939805           udp               192.168.202.23.54956       ->              192.168.202.255.sunrpc     2        0         292          0           INT
04-04-16 07:20:24.218082           udp               192.168.202.23.34336       ->                 110.110.33.1.3544       3        0         309          0           INT
04-04-16 07:20:30.038063           udp               192.168.202.23.49542       ->                      8.8.8.8.domain     2        0         132          0           INT
04-04-16 07:20:32.967437           udp               192.168.202.23.33102       ->              192.168.202.255.sunrpc     6        0         876          0           INT
04-04-16 07:20:40.219788           udp               192.168.202.23.3205        ->              255.255.255.255.3206       30       0         2460         0           INT


- the above command we print everything on the log, but if want only want to get only some amount, we use -N, for example we need to see only last 5  lines

$ ra -r /var/log/argus/argus.log -N 5
04-04-16 07:19:39.894065           man               192.168.202.23  v2.0                                     1 0          0        0         0            0           STA
04-04-16 07:19:39.946966           tcp               192.168.202.23.22          ?>                192.168.202.1.38910      196      343       33136        30574       CON
04-04-16 07:19:40.211832           udp               192.168.202.23.3205        ->              255.255.255.255.3206       30       0         2460         0           INT
04-04-16 07:19:40.846797           arp               192.168.202.23          who-has               192.168.202.24          47       0         1974         0           INT
04-04-16 07:19:44.765043           tcp                192.168.202.1.39055       ?>               192.168.202.23.ssh        18       18        2412         1188        CON





+ read from remote client, and see in realtime
$ sudo ra -S 192.168.202.23:880
04-04-16 09:50:57.194739           man               192.168.202.23  v2.0                                     1 0          0        0         0            0           STA
04-04-16 09:50:57.572002           udp               192.168.202.23.3205        ->              255.255.255.255.3206       30       0         2460         0           INT
04-04-16 09:50:57.766421           tcp                192.168.202.1.38910       ?>               192.168.202.23.ssh        101      62        8118         16100       CON
04-04-16 09:50:59.861279           arp               192.168.202.23          who-has               192.168.202.24          47       0         1974         0           INT
04-04-16 09:51:02.969883           tcp                192.168.202.1.39055       ?>               192.168.202.23.ssh        11       12        1474         844         CON
04-04-16 09:51:07.069169           udp               192.168.202.23.49115       ->              192.168.202.255.sunrpc     6        0         876          0           INT




------------------------------------


There are many other tools that designed to produce different kind of report, see the list below and explore them to see which one that suit your need


1- rabins:time based bin processor. this routine will take in an argus stream and align it to a time array, and hold it for a hold period, and then output the bin contents as an argus stream. this is the basis for all stream block processors. used by ragraph() to structure the data into graphing regions.


2- racluster:command line aggregation.


3- racount:Tally things about argus records.


4- radium:this is the argus record distribution node. Acting just like an ra* program, supporting all the options and functions of ra(), and providing access to data, like argus, supporting remote filtering, and MAR record generation. This is an important workhorse for the argus architecture.


5- ranonymize:anonymize fields in argus records.


6- rasort:sort argus records based on various fields.


7- rasplit:reads argus data from an argus-data source, and splits the resulting output into consecutive sections of records based on size, count time, or flow event, writing the output into a set of output-files.


8- raconvert:this converts ra() ascii output back into argus binary records.


9- radark:Report on dark address space accesses. The technique uses racluster to identify a current dark address space, using "no response" indications and specific ICMP unreachable events, and then use the list of dark address 'accessors' to generate a scanners list. written in perl.


10- radecode:use tshark tools to decode user data (see `-s` fields `suser` and `duser`). written in perl.


11- radump:print user data (see `-s` fields `suser` and `duser`) using various protocol printers.


12- raevent:event for ra* client programs. add application specific code, stir and enjoy.


13- rafilteraddr:filter records based on an address list. bypasses standard filter compiler.


14- ragraph:This program uses rabins() and rrdtool to generate png formatted graphs of argus data using rrdtools. written in perl.


15- ragrep:grep() implementation for argus user data searching. written in c


16- rahisto:produces a histogram of given data.


17- rahosts:ra() based host use report. written in perl.


18- ralabel:add descriptor labels to flows. this particular labeler adds descriptors based on addresses.


19- rapolicy:match input argus records against a Cisco access control policy.


20- raports:ra() based host port use report. written in perl.


21- rarpwatch:IPv4 and IPv6 arpwatch.


22- raservices:discover and validate network services using a byte-pattern definition provided by rauserdata() (also see ../argus-clients*/support/Config/std.sig).


23- rasql:used to read binary data from the BLOB records optionally produced by rasqlinsert (that contain the entire binary flow record).


24- rasqlinsert:allows you to insert flow metadata into databases using ratop's raclient.c based record processing engine.


25- rasqltimeindex:Read Argus data and build a time index suitable for inserting into a database schema.


26- rapath:print derivable path information from argus data. The strategy is to take in 'icmpmap' data, and to formulate path information for the collection of records received. By classifying all the flow data by the tuple {src, dst}, we can track any number of simultaneous traceroutes and report on the results in a manner that preserves the granularity of the data seen, but provide means to modify that granularity to get interesting results.


27- rastream:splits the resulting output into consecutive sections of records based on size, count time, or flow event, writing the output into a set of output-files. optionally, rastream() will run a program against the output files N seconds after the file is closed (which occurs after all data has arrived for the specified timespan).


28- rastrip:remove fields from argus records.


29- ratemplate:template for ra* client programs. add application specific code, stir and enjoy.


30- ratimerange:print out the time range for the data seen.


31- rauserdata:reads argus data and produces a byte-pattern file for use with raservices().

No comments:

Post a Comment