Newsgroups: comp.sources.unix From: argus@SEI.CMU.EDU Subject: v29i031: argus-1.5 - a generic IP network transaction auditing tool, Part01/06 Message-id: <1.813909952.2078@gw.home.vix.com> Sender: unix-sources-moderator@gw.home.vix.com Approved: vixie@gw.home.vix.com Submitted-By: argus@SEI.CMU.EDU Posting-Number: Volume 29, Issue 31 Archive-Name: argus-1.5/part01 #!/bin/sh # This is a shell archive (produced by GNU sharutils 4.1). # To extract the files from this archive, save it to some FILE, remove # everything before the `!/bin/sh' line above, then type `sh FILE'. # # Made on 1995-10-16 22:59 PDT by . # Source directory was `/tmp_mnt/fs/a3/CSU/New'. # # Existing files will *not* be overwritten unless `-c' is specified. # # This is part 1 of a multipart archive. # Do not concatenate these parts, unpack them in order with `/bin/sh'. # touch -am 1231235999 $$.touch >/dev/null 2>&1 if test ! -f 1231235999 && test -f $$.touch; then shar_touch=touch else shar_touch=: echo echo 'WARNING: not restoring timestamps. Consider getting and' echo "installing GNU \`touch', distributed in GNU File Utilities..." echo fi rm -f 1231235999 $$.touch # if test -r _sharseq.tmp; then echo 'Must unpack archives in sequence!' echo Please unpack part `cat _sharseq.tmp` next exit 1 fi # ============= argus-1.5/README ============== if test ! -d 'argus-1.5'; then echo 'x - creating directory argus-1.5' mkdir 'argus-1.5' fi if test -f 'argus-1.5/README' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/README (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/README (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/README' && X X/* X * Copyright (c) 1993, 1994, 1995 Carnegie Mellon University. X * All rights reserved. X * X * Permission to use, copy, modify, and distribute this software and X * its documentation for any purpose and without fee is hereby granted, X * provided that the above copyright notice appear in all copies and X * that both that copyright notice and this permission notice appear X * in supporting documentation, and that the name of CMU not be X * used in advertising or publicity pertaining to distribution of the X * software without specific, written prior permission. X * X * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING X * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL X * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR X * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, X * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, X * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS X * SOFTWARE. X * X */ X XArgus 1.5 XSoftware Engineering Institute XCarnegie Mellon University Xargus@sei.cmu.edu Xftp:/ftp.sei.cmu.edu/pub/argus-1.5 X X XThank you for your interest in Argus. X XArgus is a generic IP network transaction auditing tool that has Xallowed us at Carnegie Mellon University's Software Engineering Institute Xto perform a number of powerful network management tasks that are Xcurrently not possible using commercial network management tools. X XArgus runs as an application level daemon, promiscuously reading network Xdatagrams from a specified interface, and generates network traffic status Xrecords for the network activity that it encounters. It is the way that XArgus categorizes and reports on network activity that makes this tool Xunique and powerful. X XIn our day to day operations, we have been using Argus on a Sun XSPARCstation 2, to collect daily comprehensive network transaction logs Xfrom the CMU DMZ, for all of the network traffic between Carnegie Mellon XUniversity, the Software Engineering Institute, CERT Coordination Center Xand the Internet. This network experiences data rates that exceed 48 XGigabytes/day, with peak packet loads of ~4000 packets/sec. XWith Argus, we have been able to reliably achieve high orders of data Xreduction with considerable semantic preservation, allowing us Xto perform extensive analysis of our network traffic, historically. X XBy processing these historical network logs, we have been able to: X X 1. Verify that our network security access control policies are X actually being enforced and detect attempts to break through X our firewall and host based mechanisms. X X 2. Perform grade of service analysis for every IP based network X service that is offered in our network infrastructure. X X 3. Discover changes in the behavior of our network elements and X in the behavior of our external network partners. X X 4. Identify and troubleshoot difficult transient network problems such X as intermittent service failure, denial of service attacks and X host and network configuration problems. X X 5. Perform "what if?" analysis on network load and performance. X X XAnd by using the realtime features of Argus, we have been able to Xdevelop complex proactive network management tasks, such as real-time Xmanagement notification of the occurrence of high connection setup Xfailures to key service machines. X X XThe data that Argus generates makes possible the ability to analyze Xnetwork activity and performance in ways that have not been possible Xbefore. We are routinely answering questions such as: X X "Has anything scanned this subnet for system vulnerabilities, such X as that performed by SATAN?" X X "A new intrusion method has been discovered, has anyone tried X to use it to attack the CERT Coordination Center's network in X the past year?" X X "What host and what TCP service used all of the bandwidth on the X CMU DMZ last night?" X X "Did a new MUD server appear on any of the SEI machines last X Tuesday?" X X "What network traffic was blocked by our router-enforced firewall?" X X "What is the average HTTP transaction connection time when a CMU X host accesses MIT's WWW server?" X X "If we move the News server to another subnet, what other machines X should be moved with it?" X XEach of these questions can be answered from the same historical network Xactivity audit log. X X XThis software distribution includes the network transaction auditing Xengine, argus(5), as well as two Argus data reading tools, ra(1) and Xservices(1), which we include as examples of argus(5) clients. XWe use variants of ra(1) for most our analyses. We would like to Xencourage the development of more Argus analysis tools, and to that Xend we have developed a library of support routines and a client template Xthat should make developing clients easier. Please see the Xclients/README file for more information. X X XWe have found that comprehensive network transaction auditing can be a Xpowerful network management tool, and we think that a large number Xof sites can benefit from the prototype work that we have done in this Xarea. We hope that you find Argus and the support tools helpful. X XIncluded is a brief description of some design issues relating to XArgus that may be of interest. If you have any questions, comments, Xsuggestions, recommendations, opinions, attitudes, contributions, Xaccolades, and/or illuminations, please send them to argus@sei.cmu.edu. X X XAgain, thank you for your interest in Argus. X XCarter Bullard XSoftware Engineering Institute XCarnegie Mellon University Xwcb@sei.cmu.edu X XChas DiFatta XSoftware Engineering Institute XCarnegie Mellon University Xchas@sei.cmu.edu X X X XOverview X XIn this package we have provided the network transaction auditing engine, XArgus, and a few basic tools for reading and analyzing the data. Please Xread the man pages for argus(8), ra(1) and services(1) for detailed Xdescription of how to use these specific programs. X XArgus is an implementation of our research work in general network Xaccountability, that is tailored for IP networking. The research Xhas lead to the development of an abstract model of network behavior Xthat allows arbitrary network traffic to be categorized into prototypic Xnetwork "transactions". Argus tracks the transactions that it "discovers", Xand generates status reports, as the transactions progress. X XArgus categorizes network traffic into one of four types of network X"transactions" (example): X X 1. connection oriented (tcp) X 2. connection-less X request/response (udp/dns) X persistent (MBONE multicast traffic) X 3. event (icmp) X Xand then applies connection oriented semantics to each. This approach Xallows Argus to treat these dissimilar transaction models as if they Xare the same. X XIn the IP implementation, all network datagrams are categorized by Xsource and destination MAC addresses, source and destination IP Xaddresses, the IP options that may exist, the upper layer protocol as Xindicated in the IP header proto field, and in the case of UDP or TCP, Xby the datagram's source and destination port numbers. X X XArgus Status Records X XThere is one union structure for the fixed length Argus status reports Xthat are generated for the 4 different types of transactions. Each Xstatus report contains transaction start and stop time information, Xthe MAC and IP src and dst addresses, the IP options that were seen, Xthe upper layer protocol used, the transaction src and dst byte and Xpacket counts and upper layer protocol specific information. The Xprotocol specific information and the criteria for when the status Xreports are created, is different for each of the four transaction Xtypes. X X Connection Oriented Transactions X X The connection oriented protocol that Argus understands is TCP. X Argus has a complete knowledge of the TCP state machine and X as such can generate status reports with each state transition X seen within any individual TCP. There is also the provision for X generating time interval based status reporting on the TCP X connections that Argus is tracking. X X The status report for TCP indicates what TCP states were seen, X if any packets were retransmitted, if the src or dst windows X had closed, and if the report had been generated by a time out X condition. X X In the default mode, Argus will generate a cumulative status report X at the time that a TCP connection closes, or times out. This X strategy offers the greatest amount of data reduction on TCP X transactions. X X X Connection-Less Transactions X X All non-TCP traffic is categorized as belonging to a X connection-less transaction. When configured to generate the X most detailed level of reporting for connection-less traffic, X Argus will report: X X 1. The "discovery" of a new connection-less transaction. X X 2. The existence of a request/response "volley" within the X transaction. This exists when Argus has seen a single X packet from both the source and destination for this X transaction. X X 3. The continuation of a transaction, or transaction persistence. X This status is generated by a timer function. If traffic X has been seen within a configured timer window, a status X report is generated. X X The status report for nonTCP traffic indicates if this is the X initial report on the transaction, if this is a request/response X status report, and if this is a continuation of a current transaction. X X In the default mode, Argus will generate a status report when it X has seen a request/response "volley" within a transaction and then X every 15 minutes, if the transaction persists. This strategy X offers immediate notification of request/response traffic and X a fair amount of data reduction on connection-less transactions. X X X Events X Argus reports ICMP datagrams as events, creating an Argus X status report for each ICMP datagram seen. This strategy X is not data reducing, unfortunately, and can result in a large X number of status reports in a period of time. This will, in many X cases, be "turned off" at runtime. X X The status report for ICMP traffic includes most of the data X fields of the original ICMP datagram. This is to preserve as X much ICMP semantics as possible. X X XBecause of the nature of IP networking, Argus records generally have a Xone to one relationship with application oriented transactions. XNetwork based application transactions are represented as either a Xsingle status report, or a collection of related Argus status records. X XA TCP connection can span a number of Argus status records, if there Xare no keep alives, since the default TCP timeout value is 120 seconds. XIn this case, all the status records are identified as belonging to the XTCP connection, because of the source/destination IP address, TCP port Xpairs are all the same. The first report will show that it saw the Xstart of the connection (SAW_SYN, SAW_SYN_SENT, CON_ESTABLISHED flags Xwill be set), and the report was generated by a TIMED_OUT signal. All Xthe subsequent records will simply have the CON_ESTABLISHED flag set, Xand when it is the close of the connection, it will have the NORMAL_CLOSE Xflag, or the RESET flags set. X XRequest/Response and Event transactions will be reported as one status Xrecord. But persistent transactions will almost always be represented Xby multiple CON_ESTABLISHED, or TIMED_OUT status records where the Xsource/destination IP addresses, the upper protocol, and in the case Xof UDP the source/destination port numbers are all the same. X XArgus is designed to function in a high packet load environment, and Xrecovers cleanly in situations where there is packet loss. The packet Xcounts and byte counts reflect only what Argus actually realizes, except Xin the case of TCP, where total connection byte counts are actually Xcalculated from the TCP sequence numbers that Argus tracks during the Xcourse of the TCP. X XWhen you begin to analyze Argus data, either using the simple tools that Xare in the package, or when you write your own Argus data analysis tools, Xthese conditions should become clear. X X XNetwork Security X XComprehensive network transaction auditing can make a major impact on Xa sites network security. As we have had a great deal of success in Xusing Argus to improve the network security at the Software Engineering XInstitute and CERT Coordination Center, we would like to emphasize this Xadvantage of the use of Argus. X XAccountability has always been recognized as a critical element in system Xsecurity modeling. One of the principal deficiencies in the functional Xstructure of current Internet technology is its inherent lack of Xaccountability. Experience in Internet computer incident handling Xclearly indicates that current Internet technology does not adequately Xsupport the detection and/or analysis of computer security related events. X XOne of the fundamental problems with the current "state of the art" Xin computer security, is the reliance on host based accounting systems. XWhen a host is compromised during a security incident, there is a Xhigh probability that the hosts accounting system will be modified Xin order to "cover up" the unauthorized accesses. As a result of the Xcompromise, the host based accounting system is completely unreliable. XThis lack of accounting reliability makes host based intrusion detection Xa very difficult, if not impossible task. In addition, most host Xaccounting systems are not capable of detecting and accounting for all Xthe network events that may be important to the security of the host, as Xmany of the meaningful events can not be anticipated. X XOur experience has been that independent comprehensive network Xtransaction auditing provides a powerful addition to network based Xaccess control that compensates for many of the inadequacies seen in host Xbased accounting. Argus has become a critical element in the network Xsecurity mechanisms of CMU's Software Engineering Institute and CERT XCoordination Center. X XOne of the key roles that Argus plays is in the verification of our Xrouter-based firewall control mechanisms. By comparing the Argus Xtransaction status records for our internal networks against the Xactual router access control lists, we can have 100% assurance that Xthe router is implementing the control policies correctly. This Xindependent scheme has been used to detect bugs in router vendor security Xmechanisms. Of course if the access control lists are poorly defined, Xthen problems will get past even this mechanism. But, by analyzing Xour internal network Argus data for violations of the intent of the Xaccess control policies, we establish 100% assurance that our access Xcontrol policies are actually being enforced. X XNetwork scanning, such as that done by SATAN and ISS, generates Xcharacteristic network "signatures" which are preserved in the Xcomprehensive network transaction logs generated by Argus, so that Xsimple Argus data analysis tools could be written to discover the Xthe use of SATAN. We highly recommend the development of these types Xof Argus data analysis tools. X XWe have included in our ./contrib directory a sample ra(1) filter that Xacts to detect intrusion attacks of the type described in the CERT Xadvisory CA-95:01 "IP spoofing attacks and hijacked terminal connections". XThis is a reliable, although not warrantable, method for detecting these Xtypes of attacks and we offer it as an example of how Argus data can be Xused in intrusion detection. We also highly recommend the development Xof these types of Argus data analysis tools. X X XIndividual Privacy X XNetwork transaction auditing may be perceived as having an impact on Xindividual privacy. This is a real issue and should not be trivialized. X XThe protection of an individual's right to privacy was a critical design Xfeature of Argus, and dictated that Argus not scan datagrams beyond the XTransport Layer Header data. The need to gather information from the Xnetwork for the purposes of network management must be balanced with the Xrequirement to preserve an individual's right to privacy. We do not Xrecommend that implementors extend this type of network management Xanalysis beyond the Transport Layer, without considering the impact on Xan individual's right to privacy. X X XImplementation Platforms X XArgus has been built and tested under SunOS 4.x, Solaris 2.3, SGI IRIX5.2. XThe issue of portability has been principally addressed by the use of Xlibpcap-0.0.x. Argus, itself, has been written assuming a BSD environment, Xand is designed around the select() and socket() facilities. Porting Xto environments that do not supply these features, may be problematic. XWe suspect that you may run into some problems when porting -- please Xsend us the patches if you fix any porting problems. We will be very Xgrateful. X XThe FDDI support in argus-1.5 has been tested, on SGI architectures. XTHERE COULD BE PROBLEMS, so in the event that you use Argus successfully Xon FDDI interfaces, we would like to hear about your experiences. SHAR_EOF $shar_touch -am 0508141295 'argus-1.5/README' && chmod 0444 'argus-1.5/README' || echo 'restore of argus-1.5/README failed' shar_count="`wc -c < 'argus-1.5/README'`" test 17191 -eq "$shar_count" || echo "argus-1.5/README: original size 17191, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/bin/mkdep ============== if test ! -d 'argus-1.5/bin'; then echo 'x - creating directory argus-1.5/bin' mkdir 'argus-1.5/bin' fi if test -f 'argus-1.5/bin/mkdep' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/bin/mkdep (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/bin/mkdep (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/bin/mkdep' && X#!/bin/sh - X# X# Copyright (c) 1987 Regents of the University of California. X# All rights reserved. X# X# Redistribution and use in source and binary forms are permitted X# provided that this notice is preserved and that due credit is given X# to the University of California at Berkeley. The name of the University X# may not be used to endorse or promote products derived from this X# software without specific prior written permission. This software X# is provided ``as is'' without express or implied warranty. X# X# @(#)mkdep.sh 5.11 (Berkeley) 5/5/88 X# X XPATH=/bin:/usr/bin:/usr/ucb Xexport PATH X XMAKE=Makefile # default makefile name is "Makefile" X Xwhile : X do case "$1" in X # -f allows you to select a makefile name X -f) X MAKE=$2 X shift; shift ;; X X # the -p flag produces "program: program.c" style dependencies X # so .o's don't get produced X -p) X SED='s;\.o;;' X shift ;; X *) X break ;; X esac Xdone X Xif [ $# = 0 ] ; then X echo 'usage: mkdep [-p] [-f makefile] [flags] file ...' X exit 1 Xfi X Xif [ ! -w $MAKE ]; then X echo "mkdep: no writeable file \"$MAKE\"" X exit 1 Xfi X XTMP=/tmp/mkdep$$ X Xtrap 'rm -f $TMP ; exit 1' 1 2 3 13 15 X Xcp $MAKE ${MAKE}.bak X Xsed -e '/DO NOT DELETE THIS LINE/,$d' < $MAKE > $TMP X Xcat << _EOF_ >> $TMP X# DO NOT DELETE THIS LINE -- mkdep uses it. X# DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY. X X_EOF_ X X# If your compiler doesn't have -M, add it. If you can't, the next two X# lines will try and replace the "cc -M". The real problem is that this X# hack can't deal with anything that requires a search path, and doesn't X# even try for anything using bracket (<>) syntax. X# X# egrep '^#include[ ]*".*"' /dev/null $* | X# sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' | X Xcc -M $* | Xsed " X s; \./; ;g X $SED" | Xawk '{ X if ($1 != prev) { X if (rec != "") X print rec; X rec = $0; X prev = $1; X } X else { X if (length(rec $2) > 78) { X print rec; X rec = $0; X } X else X rec = rec " " $2 X } X} XEND { X print rec X}' >> $TMP X Xcat << _EOF_ >> $TMP X X# IF YOU PUT ANYTHING HERE IT WILL GO AWAY X_EOF_ X X# copy to preserve permissions Xcp $TMP $MAKE Xrm -f ${MAKE}.bak $TMP Xexit 0 SHAR_EOF $shar_touch -am 0508141295 'argus-1.5/bin/mkdep' && chmod 0555 'argus-1.5/bin/mkdep' || echo 'restore of argus-1.5/bin/mkdep failed' shar_count="`wc -c < 'argus-1.5/bin/mkdep'`" test 2115 -eq "$shar_count" || echo "argus-1.5/bin/mkdep: original size 2115, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/clients/Makefile.in ============== if test ! -d 'argus-1.5/clients'; then echo 'x - creating directory argus-1.5/clients' mkdir 'argus-1.5/clients' fi if test -f 'argus-1.5/clients/Makefile.in' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/clients/Makefile.in (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/clients/Makefile.in (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/clients/Makefile.in' && X X# Copyright (c) 1993, 1994 Carnegie Mellon University. X# All rights reserved. X# X# Use in source and binary forms, with or without modification, are X# permitted provided that source code modifications retain all X# pertinent copyright notices and this paragraph in its entirety. X# This distribution includes software developed at Carnegie Mellon X# University. X# X# THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED X# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF X# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. X X# Copyright (c) 1993, 1994 X# The Regents of the University of California. All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that: (1) source code distributions X# retain the above copyright notice and this paragraph in its entirety, (2) X# distributions including binary code include the above copyright notice and X# this paragraph in its entirety in the documentation or other materials X# provided with the distribution, and (3) all advertising materials mentioning X# features or use of this software display the following acknowledgement: X# ``This product includes software developed by the University of California, X# Lawrence Berkeley Laboratory and its contributors.'' Neither the name of X# the University nor the names of its contributors may be used to endorse X# or promote products derived from this software without specific prior X# written permission. X# THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED X# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF X# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. X# X# @(#) $Header: /us/wcb/research/src/argus/argus-1.5/clients/RCS/Makefile.in,v 1.2 1995/04/20 21:20:55 wcb Exp $ (LBL) X# X# X# You shouldn't need to edit anything below. X# X XDEFINE_STDC = -D__STDC__ X X#have-ethers#ETHERS_DEFINES = -DETHER_SERVICE X# X#have-solaris#OS_DEFINES = -DSOLARIS X#have-irix#OS_DEFINES = -Dvolatile= $(DEFINE_STDC) X X#have-gcc#DEFINE_STDC = X X#have-pf#PCAP_DEFINES = -DPCAP_PF X X#have-bpf#PCAP = bpf X#have-pf#PCAP = pf X#have-nit#PCAP = nit X#have-snit#PCAP = snit X#have-snoop#PCAP = snoop X#have-dlpi#PCAP = dlpi X XCC = cc X#have-gcc#CC = gcc X#have-acc#CC = acc X XCCOPT = -g X# X# Flex and bison allow you to specify the prefixes of the global symbols X# used by the generated parser. This allows programs to use lex/yacc X# and link against libpcap. If you don't have flex or bison, get them. X# XLEX = lex XYACC = yacc X#have-flex#LEX = flex -Ppcap_ X#have-bison#YACC = bison -y -p pcap_ X XMAKE = make XSHELL = /bin/sh X XRANLIB = echo X#have-ranlib#RANLIB = ranlib X XROOT_DIR=.. XINCLUDE=$(ROOT_DIR)/include XLIBPCAP=$(ROOT_DIR)/libpcap XTCPWRAP=$(ROOT_DIR)/wrapper XOTHDIRS=$(ROOT_DIR)/common XPROGDIRS=$(ROOT_DIR)/server $(ROOT_DIR)/clients XALLDIRS=$(LIBPCAP) $(OTHDIRS) $(PROGDIRS) X# XINSTALL_LIB=$(ROOT_DIR)/lib XINSTALL_BIN=$(ROOT_DIR)/bin X# XINCLUDES = -I$(INCLUDE) -I$(LIBPCAP) -I$(TCPWRAP) XDEFINES = $(PCAP_DEFINES) $(OS_DEFINES) X X# Standard CFLAGS XCFLAGS = $(CCOPT) $(DEFINES) $(INCLUDES) X X# Explicitly define compiliation rule since SunOS 4's make doesn't like gcc. X# Also, gcc does not remove the .o before forking 'as', which can be a X# problem if you don't own the file but can write to the directory. X.c.o: X rm -f $@; $(CC) $(CFLAGS) -c $*.c X XLIB = ../lib/argus_parse.a ../lib/libpcap.a XCOMPATLIB = X#have-solaris#COMPATLIB = -lsocket -lnsl X XPROGS = $(INSTALL_BIN)/ra $(INSTALL_BIN)/services XSRC = ra.c services.c X Xall: $(PROGS) X X$(INSTALL_BIN)/ra: ra.o $(LIB) X $(CC) $(CFLAGS) -o $@ ra.o $(LIB) $(COMPATLIB) X X$(INSTALL_BIN)/services: services.o $(LIB) X $(CC) $(CFLAGS) -o $@ services.o $(LIB) $(COMPATLIB) -lm X X$(INSTALL_BIN)/template: template.o $(LIB) X $(CC) $(CFLAGS) -o $@ template.o $(LIB) $(COMPATLIB) -lm X Xclean: X rm -f *.o X Xforce: /tmp Xinstall: $(PROGS) Xdepend: force X ../bin/mkdep $(INCLUDES) $(SRC) SHAR_EOF $shar_touch -am 0508141295 'argus-1.5/clients/Makefile.in' && chmod 0444 'argus-1.5/clients/Makefile.in' || echo 'restore of argus-1.5/clients/Makefile.in failed' shar_count="`wc -c < 'argus-1.5/clients/Makefile.in'`" test 3955 -eq "$shar_count" || echo "argus-1.5/clients/Makefile.in: original size 3955, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/clients/ra.c ============== if test -f 'argus-1.5/clients/ra.c' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/clients/ra.c (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/clients/ra.c (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/clients/ra.c' && X X/* X * Copyright (c) 1993, 1994 Carnegie Mellon University. X * All rights reserved. X * X * Permission to use, copy, modify, and distribute this software and X * its documentation for any purpose and without fee is hereby granted, X * provided that the above copyright notice appear in all copies and X * that both that copyright notice and this permission notice appear X * in supporting documentation, and that the name of CMU not be X * used in advertising or publicity pertaining to distribution of the X * software without specific, written prior permission. X * X * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING X * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL X * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR X * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, X * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, X * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS X * SOFTWARE. X * X */ X X/* X * X * policy - parse policy configuration and report argus data that X * does not conform to this policy. no policy will report X * all data. X * X * this is the principle argus client that uses the client X * libraries which provide code to read argus archive files, X * attach to remote argus servers, parse policy configuration X * files, parse argus data streams and calls data specific X * subroutines that are provided in this file. X * X * the principle funciton of this client is to print out X * argus data, and its intended use is to review argus data. X * X * Carter Bullard X * Software Engineering Institute X * Carnegie Mellon Univeristy X * X */ X X#define ARGUS_CLIENT X X#include X#include X X#include X X#include X#include X#include X#ifndef SOLARIS X#include X#endif X#include X#include X X#include X#include X#include X#include X X#include X#include X X#include X X#include X#include X X#include X#include X#include X#include X#include X X Xchar *appOptstring = NULL; Xextern int major_version, minor_version; Xextern struct tm tm_startime, tm_lasttime; X Xinit () {} Xvoid argus_parse_complete () {} Xvoid clientTimeout () {} Xparse_arg (argc, argv) Xint argc; Xchar**argv; X{} X Xvoid Xusage (ptr) Xchar *ptr; X{ X fprintf (stderr, "usage: %s [-bchmnEIMNORTWX] ", ptr); X fprintf (stderr, "[-C access-file] "); X fprintf (stderr, "[-d debug-level]\n"); X fprintf (stderr, " [-r input_file] "); X fprintf (stderr, "[-w output_file] "); X fprintf (stderr, "[-F file] [-P port]\n"); X fprintf (stderr, " [-S argus_server] expression.\n"); X fprintf (stderr, "options: b - dump packet-matching code.\n"); X fprintf (stderr, " c - print packet and byte counts.\n"); X fprintf (stderr, " C - specify Cisco access-file.\n"); X fprintf (stderr, " h - print help.\n"); X fprintf (stderr, " m - print MAC addresses.\n"); X fprintf (stderr, " n - don't convert numbers to names.\n"); X fprintf (stderr, " r - read Argus input file.\n"); X fprintf (stderr, " w - write Argus output file.\n"); X fprintf (stderr, " P - specify remote argus port.\n"); X fprintf (stderr, " S - specify remote argus host.\n"); X fprintf (stderr, " E - print ESTABLISHED transactions.\n"); X fprintf (stderr, " I - print extended ICMP status.\n"); X fprintf (stderr, " F - use file to define filter expression.\n"); X fprintf (stderr, " M - print MULTIROUTE transactions.\n"); X fprintf (stderr, " N - print NORMAL_CLOSED transactions.\n"); X fprintf (stderr, " O - print transactions with ip OPTIONS.\n"); X fprintf (stderr, " R - print RESET transactions.\n"); X fprintf (stderr, " T - print TIMEDOUT transactions.\n"); X fprintf (stderr, " W - print WINDOW_SHUT transactions.\n"); X fprintf (stderr, " X - print PKTS_RETRANS transactions.\n"); X exit(1); X} X X X Xprocess_tcp (ptr) Xstruct writeStruct *ptr; X{ X int i, src_bytes, dst_bytes, src_count, dst_count, ind, vc = 0; X unsigned int state; X struct in_addr *srcAddr, *dstAddr; X struct ether_addr *esrcAddr, *edstAddr; X char date [128], buf [256], fmtstr[256]; X char *dstString, *srcString, *protoStr; X char *edstString, *esrcString; X char *processStr = NULL; X unsigned short srcPort, dstPort; X u_long port; X X bzero (fmtstr, 256); X X port = ptr->addr.port; X if (ptr->status & DETAIL) { X strftime ((char *) &date, 128, "%a %m/%d %T ", &tm_lasttime); X } else { X strftime ((char *) &date, 128, "%a %m/%d %T ", &tm_startime); X } X state = ptr->status & X (SAW_SYN | NORMAL_CLOSE | SAW_SYN_SENT | CON_ESTABLISHED); X X protoStr = (nflag > 1) ? "6 " : "tcp"; X if (mflag) { X vc = 16; X strcpy (fmtstr, X "%s%17.17s %17.17s %3s %15.15s.%-5.5s - %15.15s.%-5.5s "); X } else X strcpy (fmtstr, "%s %3s %15.15s.%-5.5s - %15.15s.%-5.5s "); X X if (cflag) X strcat (fmtstr, "%-5d %-5d %-7d %-7d"); X X if (state) { X if (state & NORMAL_CLOSE) { X fmtstr[28 + vc] = '>'; X processStr = process_state_strings[3]; X } else { X if (ptr->status & DETAIL) { X if (state & CLOSE_WAITING) { X fmtstr[26 + vc] = '<'; fmtstr[28 + vc] = '>'; X processStr = process_state_strings[6]; X } else X if (state & CON_ESTABLISHED) { X fmtstr[26 + vc] = '<'; fmtstr[28 + vc] = '>'; X processStr = process_state_strings[2]; X } else X if (state & SAW_SYN_SENT) { X fmtstr[26 + vc] = '<'; X processStr = process_state_strings[1]; X } else X if (state & SAW_SYN) { X fmtstr[28 + vc] = '>'; X processStr = process_state_strings[0]; X } X } else { X fmtstr[28 + vc] = '>'; X if (!(state & (SAW_SYN | SAW_SYN_SENT))) X fmtstr[26 + vc] = '<'; X processStr = process_state_strings[3]; X } X } X } X X if (ptr->status & RESET) { X fmtstr[27 + vc] = '|'; X processStr = process_state_strings[5]; X } X X if (ptr->status & TIMED_OUT) { X fmtstr[27 + vc] = 'o'; X processStr = process_state_strings[4]; X } X X strcat (fmtstr, processStr); X X if (ptr->status & PKTS_RETRANS) fmtstr[vc + 2] = '*'; X if (ptr->status & BLOCKED) fmtstr[vc + 2] = 'B'; X if (ptr->status & IPOPTIONMASK) { X switch (ptr->status & IPOPTIONMASK) { X case SSRCROUTE: fmtstr[vc + 3] = 'S'; break; X case LSRCROUTE: fmtstr[vc + 3] = 'L'; break; X case TIMESTAMP: fmtstr[vc + 3] = 'T'; break; X case SECURITY: fmtstr[vc + 3] = '+'; break; X case RECORDROUTE: fmtstr[vc + 3] = 'R'; break; X case SATNETID: fmtstr[vc + 3] = 'N'; break; X default: fmtstr[vc + 3] = '?'; break; X } X } X if (ptr->status & MULTIADDR) fmtstr[vc + 4] = 'M'; X if (ptr->status & FRAGMENTS) fmtstr[vc + 4] = 'F'; X X edstAddr = &ptr->etherdst; X esrcAddr = &ptr->ethersrc; X srcAddr = &ptr->addr.src; dstAddr = &ptr->addr.dst; X srcPort = ((unsigned short *) &port)[0]; X dstPort = ((unsigned short *) &port)[1]; X src_count = ptr->src_count; X src_bytes = ptr->src_bytes; X dst_count = ptr->dst_count; X dst_bytes = ptr->dst_bytes; X X if (src_count < 0) src_count = 0; X if (dst_count < 0) dst_count = 0; X X if (src_bytes < 0) src_bytes = 0; X if (dst_bytes < 0) dst_bytes = 0; X X srcString = ipaddr_string (srcAddr); X dstString = ipaddr_string (dstAddr); X X esrcString = etheraddr_string ((char *) esrcAddr); X edstString = etheraddr_string ((char *) edstAddr); X X if ((srcPort == 20) || ((srcPort >= 6000) && (srcPort < 6010))) { X int swap26 = 0, swap28 = 0; X if (fmtstr[26 + vc] == '<') swap26 = 1; X if (fmtstr[28 + vc] == '>') swap28 = 1; X if (!(swap26 && swap28)) { X if (swap26) fmtstr[28 + vc] = '>', fmtstr[26 + vc] = ' '; X if (swap28) fmtstr[26 + vc] = '<', fmtstr[28 + vc] = ' '; X } X X if (mflag) X sprintf (buf, fmtstr, date, X edstString, esrcString, protoStr, X dstString, tcpport_string(dstPort), X srcString, tcpport_string(srcPort), X dst_count, src_count, dst_bytes, src_bytes); X else X sprintf (buf, fmtstr, date, protoStr, X dstString, tcpport_string(dstPort), X srcString, tcpport_string(srcPort), X dst_count, src_count, dst_bytes, src_bytes); X } else X if (mflag) X sprintf (buf, fmtstr, date, X esrcString, edstString, protoStr, X srcString, tcpport_string(srcPort), X dstString, tcpport_string(dstPort), X src_count, dst_count, src_bytes, dst_bytes); X else X sprintf (buf, fmtstr, date, protoStr, X srcString, tcpport_string(srcPort), X dstString, tcpport_string(dstPort), X src_count, dst_count, src_bytes, dst_bytes); X X (void) printf ("%s\n", buf); X} X X Xchar *icmptypestr[ICMP_MAXTYPE + 1] = { X "ECR", " ", " ", "UR", "SRC", "RED", X " ", " ", "ECO", " ", " ", "TIM", X "PAR", "TST", "TSR", "IRQ", "IRR", "MAS", X "MSR", X}; X Xprocess_icmp (ptr) Xstruct writeStruct *ptr; X{ X int i, vc = 0, rev = 0; X struct ip *oip; X struct udphdr *ouh; X int hlen; X struct icmpStruct *icmp; X char fmtstr[1024], *blankstring = " ", icmptype[128]; X char *dstString, *srcString, *protoStr; X char *edstString, *esrcString; X char buf [256], str[1024], startdate[128]; X extern char *timestatmp_fmt; X extern long timestamp_scale, thiszone; X extern u_long getnetnumber (), ipaddrtonetmask (); X X if (ptr) { X icmp = (struct icmpStruct *) &ptr->src_count; X bzero (icmptype, sizeof (icmptype)); X strcpy (icmptype, icmptypestr[icmp->type]); X esrcString = etheraddr_string ((char *) &ptr->ethersrc); X edstString = etheraddr_string ((char *) &ptr->etherdst); X srcString = ipaddr_string (&ptr->addr.src); X dstString = ipaddr_string (&ptr->addr.dst); X strftime ((char *) &startdate, 128, "%a %m/%d %T ", &tm_lasttime); X switch (icmp->type) { X case ICMP_UNREACH: X switch (icmp->code) { X case ICMP_UNREACH_NET: X strcat (icmptype, "N"); X if (Iflag) X if (icmp->dstaddr.s_addr) { X u_long addr = icmp->dstaddr.s_addr; X sprintf (&icmptype[strlen(icmptype)], " %s", X getnetname (getnetnumber (addr & X ipaddrtonetmask (addr)))); X } X break; X case ICMP_UNREACH_HOST: X strcat (icmptype, "H"); X if (Iflag) X if (icmp->dstaddr.s_addr) X sprintf (&icmptype[strlen(icmptype)], " %s", X ipaddr_string (&icmp->dstaddr.s_addr)); X break; X case ICMP_UNREACH_PROTOCOL: X strcat (icmptype, "O"); X if (Iflag) X if (icmp->data) X sprintf (&icmptype[strlen(icmptype)]," %d", icmp->data); X break; X case ICMP_UNREACH_PORT: { X strcat (icmptype, "P"); X if (Iflag) X if (icmp->data & icmp->gwaddr.s_addr) X sprintf (&icmptype[strlen(icmptype)], X " proto %d port %d", X icmp->data, *((unsigned short *)&icmp->gwaddr)); X else if (icmp->data) X sprintf (&icmptype[strlen(icmptype)]," %d", icmp->data); X break; X } X case ICMP_UNREACH_NEEDFRAG: X strcat (icmptype, "F"); break; X case ICMP_UNREACH_SRCFAIL: X strcat (icmptype, "S"); break; X } X break; X X case ICMP_MASKREPLY: X if (Iflag) X if (icmp->srcaddr.s_addr) X sprintf (&icmptype[strlen(icmptype)], " 0x%08x", X icmp->srcaddr.s_addr); X break; X X case ICMP_REDIRECT: X switch (icmp->code) { X case ICMP_REDIRECT_NET: X (void)sprintf (buf, " %s to net %s", X ipaddr_string (&icmp->dstaddr.s_addr), X ipaddr_string (&icmp->gwaddr.s_addr)); X break; X case ICMP_REDIRECT_HOST: X (void)sprintf (buf, " %s to host %s", X ipaddr_string (&icmp->dstaddr.s_addr), X ipaddr_string (&icmp->gwaddr.s_addr)); X break; X case ICMP_REDIRECT_TOSNET: X (void)sprintf (buf, " tos %s to net %s", X ipaddr_string (&icmp->dstaddr.s_addr), X ipaddr_string (&icmp->gwaddr.s_addr)); X break; X case ICMP_REDIRECT_TOSHOST: X (void)sprintf (buf, " tos %s to host %s", X ipaddr_string (&icmp->dstaddr.s_addr), X ipaddr_string (&icmp->gwaddr.s_addr)); X break; X } X strcat (icmptype, buf); X break; X X case ICMP_ECHOREPLY: X rev = 1; X break; X X case ICMP_PARAMPROB: X case ICMP_SOURCEQUENCH: X case ICMP_ECHO: X case ICMP_TIMXCEED: X case ICMP_TSTAMP: X case ICMP_TSTAMPREPLY: X case ICMP_IREQ: X case ICMP_IREQREPLY: X case ICMP_MASKREQ: X break; X } X X protoStr = (nflag > 1) ? "1 " : "icmp"; X X if (mflag) { X sprintf (fmtstr, "%s", X "%s%17.17s %17.17s icmp %15.15s %-5.5s -> %15.15s %-5.5s"); X if (rev) {fmtstr[42] = '<'; fmtstr[44] = ' ';} X if (Iflag) strcat (fmtstr, " %s"); X else strcat (fmtstr, " %3.3s"); X if (rev) X sprintf (str, fmtstr, startdate, esrcString, edstString, X dstString, blankstring, srcString, blankstring, icmptype); X else X sprintf (str, fmtstr, startdate, esrcString, edstString, X srcString, blankstring, dstString, blankstring, icmptype); X } else { X sprintf (fmtstr, "%s", X "%s %-4.4s %15.15s %-5.5s -> %15.15s %-5.5s"); X if (rev) {fmtstr[28] = '<'; fmtstr[30] = ' ';} X if (Iflag) strcat (fmtstr, " %s"); X else strcat (fmtstr, " %3.3s"); X X if (rev) X sprintf (str, fmtstr, startdate, protoStr, X dstString, blankstring, srcString, blankstring, icmptype); X else X sprintf (str, fmtstr, startdate, protoStr, X srcString, blankstring, dstString, blankstring, icmptype); X } X X if (ptr->status & BLOCKED) fmtstr[vc + 2] = 'B'; X if (ptr->status & IPOPTIONMASK) { X switch (ptr->status & IPOPTIONMASK) { X case SSRCROUTE: fmtstr[vc + 3] = 'S'; break; X case LSRCROUTE: fmtstr[vc + 3] = 'L'; break; X case TIMESTAMP: fmtstr[vc + 3] = 'T'; break; X case SECURITY: fmtstr[vc + 3] = '+'; break; X case RECORDROUTE: fmtstr[vc + 3] = 'R'; break; X case SATNETID: fmtstr[vc + 3] = 'N'; break; X default: fmtstr[vc + 3] = '?'; break; X } X } X if (ptr->status & MULTIADDR) fmtstr[vc + 4] = 'M'; X if (ptr->status & FRAGMENTS) fmtstr[vc + 4] = 'F'; X X printf ("%s\n", str); X } X} X X Xprocess_udp (ptr) Xstruct writeStruct *ptr; X{ X int i, vc = 0; X char *blankstring = "* "; X char *dstString, *srcString, *udpString; X char *edstString, *esrcString, *protoStr; X char buf[1024], date[128], fmtstr[256]; X u_short srcport, dstport; X extern char *timestatmp_fmt; X extern long timestamp_scale, thiszone; X X esrcString = etheraddr_string ((char *) &ptr->ethersrc); X edstString = etheraddr_string ((char *) &ptr->etherdst); X srcString = ipaddr_string (&ptr->addr.src.s_addr); X dstString = ipaddr_string (&ptr->addr.dst.s_addr); X srcport = ((u_short *)&ptr->addr.port)[0]; X dstport = ((u_short *)&ptr->addr.port)[1]; X X if (ptr->status & DETAIL) X strftime ((char *) &date, 128, "%a %m/%d %T ", &tm_lasttime); X else X strftime ((char *) &date, 128, "%a %m/%d %T ", &tm_startime); X X protoStr = (nflag > 1) ? "17 " : "udp"; X X if (mflag) { X vc = 16; X strcpy (fmtstr, X "%s%17.17s %17.17s %3s %15.15s.%-5.5s - %15.15s.%-5.5s "); X } else X strcpy (fmtstr, "%s %3s %15.15s.%-5.5s - %15.15s.%-5.5s "); X X if (cflag) X strcat (fmtstr, "%-5d %-5d %-7d %-7d"); X X if (ptr->status & BLOCKED) fmtstr[vc + 2] = 'B'; X if (ptr->status & IPOPTIONMASK) { X switch (ptr->status & IPOPTIONMASK) { X case SSRCROUTE: fmtstr[vc + 3] = 'S'; break; X case LSRCROUTE: fmtstr[vc + 3] = 'L'; break; X case TIMESTAMP: fmtstr[vc + 3] = 'T'; break; X case SECURITY: fmtstr[vc + 3] = '+'; break; X case RECORDROUTE: fmtstr[vc + 3] = 'R'; break; X case SATNETID: fmtstr[vc + 3] = 'N'; break; X default: fmtstr[vc + 3] = '?'; break; X } X } X if (ptr->status & MULTIADDR) fmtstr[vc + 4] = 'M'; X if (ptr->status & FRAGMENTS) fmtstr[vc + 4] = 'F'; X X fmtstr[26 + vc] = (ptr->dst_count) ? '<' : ' '; X fmtstr[28 + vc] = (ptr->src_count) ? '>' : ' '; X if ((ptr->status & TIMED_OUT)) strcat (fmtstr, "TIM"); X else if (ptr->status & CON_ESTABLISHED) { X if ((ptr->src_count == 1) && (ptr->dst_count == 1)) X strcat (fmtstr, "ACC"); X else strcat (fmtstr, "CON"); X } else if (ptr->status & UDP_INIT) strcat (fmtstr, "INT"); X X if (mflag) X sprintf (buf, fmtstr, date, X esrcString, edstString, X protoStr, X srcString, udpport_string (srcport), X dstString, udpport_string (dstport), X ptr->src_count, ptr->dst_count, X ptr->src_bytes, ptr->dst_bytes); X else X sprintf (buf, fmtstr, date, protoStr, X srcString, udpport_string (srcport), X dstString, udpport_string (dstport), X ptr->src_count, ptr->dst_count, X ptr->src_bytes, ptr->dst_bytes); X X printf ("%s\n", buf); X} X X#define IPPROTOSTR 99 Xchar *ip_proto_string [IPPROTOSTR] = {"ip", "icmp", "igmp", "ggp", X "ipnip", "st", "tcp", "ucl", "egp", "igp", "bbn-rcc-mon", "nvp-ii", X "pup", "argus", "emcon", "xnet", "chaos", "udp", "mux", "dcn-meas", X "hmp", "prm", "xns-idp", "trunk-1", "trunk-2", "leaf-1", "leaf-2", X "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp", "merit-inp", "sep", X "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++", "il", "unas", X "unas", "unas", "unas", "unas", "unas", "unas", "unas", "unas", X "unas", "unas", "unas", "unas", "unas", "unas", "unas", "unas", X "unas", "unas", "unas", "any", "cftp", "any", "sat-expak", "kryptolan", X "rvd", "ippc", "any", "sat-mon", "visa", "ipcv", "cpnx", "cphb", "wsn", X "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak", "iso-ip", "vmtp", X "secure-vmtp", "vines", "ttp", "nsfnet-igp", "dgp", "tcf", "igrp", X "ospfigp", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp", X "aes-sp3-d", "etherip", "encap", X}; X X X Xprocess_ip (ptr) Xstruct writeStruct *ptr; X{ X int i, vc = 0; X char *blankstring = "* "; X char *dstString, *srcString, *protoStr ; X char *edstString, *esrcString; X char buf[1024], date[128], fmtstr[256], protoStrbuf[16]; X extern char *timestatmp_fmt; X extern long timestamp_scale, thiszone; X int src_count, dst_count, src_bytes, dst_bytes; X u_char proto; X X srcString = ipaddr_string (&ptr->addr.src.s_addr); X dstString = ipaddr_string (&ptr->addr.dst.s_addr); X esrcString = etheraddr_string ((char *) &ptr->ethersrc); X edstString = etheraddr_string ((char *) &ptr->etherdst); X src_count = ptr->src_count; dst_count = ptr->dst_count; X src_bytes = ptr->src_bytes; dst_bytes = ptr->dst_bytes; X X if (ptr->status & DETAIL) X strftime ((char *) &date, 128, "%a %m/%d %T ", &tm_lasttime); X else X strftime ((char *) &date, 128, "%a %m/%d %T ", &tm_startime); X X if (mflag) { X vc = 16; X strcpy (fmtstr, X "%s%17.17s %17.17s %-5.5s%20.20s - %20.20s "); X } else X strcpy (fmtstr, "%s %-5.5s%20.20s - %20.20s "); X X fmtstr[21 + vc] = (dst_count) ? '<' : ' '; X fmtstr[23 + vc] = (src_count) ? '>' : ' '; X X if (cflag) X strcat (fmtstr, "%-5d %-5d %-7d %-7d"); X X if ((ptr->status & TIMED_OUT)) strcat (fmtstr, "TIM"); X else if (ptr->status & CON_ESTABLISHED) { X if ((ptr->src_count == 1) && (ptr->dst_count == 1)) X strcat (fmtstr, "ACC"); X else strcat (fmtstr, "CON"); X } else if (ptr->status & UDP_INIT) strcat (fmtstr, "INT"); X X if (ptr->status & BLOCKED) fmtstr[vc + 2] = 'B'; X if (ptr->status & IPOPTIONMASK) { X switch (ptr->status & IPOPTIONMASK) { X case SSRCROUTE: fmtstr[vc + 3] = 'S'; break; X case LSRCROUTE: fmtstr[vc + 3] = 'L'; break; X case TIMESTAMP: fmtstr[vc + 3] = 'T'; break; X case SECURITY: fmtstr[vc + 3] = '+'; break; X case RECORDROUTE: fmtstr[vc + 3] = 'R'; break; X case SATNETID: fmtstr[vc + 3] = 'N'; break; X default: fmtstr[vc + 3] = '?'; break; X } X } X if (ptr->status & MULTIADDR) fmtstr[vc + 4] = 'M'; X if (ptr->status & FRAGMENTS) fmtstr[vc + 4] = 'F'; X X proto = ((unsigned char *)&ptr->addr.port)[3]; X sprintf (protoStrbuf, "%u", proto); X protoStr = (nflag > 1) ? protoStrbuf : X proto >= IPPROTOSTR ? "unas" : ip_proto_string[proto]; X X if (mflag && cflag) X sprintf (buf, fmtstr, date, X esrcString, edstString, protoStr, X srcString, dstString, X src_count, dst_count, X src_bytes, dst_bytes); X else X if (cflag) X sprintf (buf, fmtstr, date, protoStr, X srcString, dstString, X src_count, dst_count, X src_bytes, dst_bytes); X else X if (mflag) X sprintf (buf, fmtstr, date, X esrcString, edstString, protoStr, X srcString, dstString); X else X sprintf (buf, fmtstr, date, protoStr, X srcString, dstString); X X printf ("%s\n", buf); X} X SHAR_EOF $shar_touch -am 0508141295 'argus-1.5/clients/ra.c' && chmod 0444 'argus-1.5/clients/ra.c' || echo 'restore of argus-1.5/clients/ra.c failed' shar_count="`wc -c < 'argus-1.5/clients/ra.c'`" test 22782 -eq "$shar_count" || echo "argus-1.5/clients/ra.c: original size 22782, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/clients/policy.conf ============== if test -f 'argus-1.5/clients/policy.conf' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/clients/policy.conf (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/clients/policy.conf (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/clients/policy.conf' && X# X# Copyright (c) 1993, 1994 Carnegie Mellon University. X# All rights reserved. X# X# Use in source and binary forms, with or without modification, is X# permitted provided that source code modifications retain all X# perintent copyright notices and this paragraph in its entirety. X# This distribution includes software developed by Carnegie Mellon X# University and the Software Engineering Institute. X# X# THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED X# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF X# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. X# X# X# X# policy sample configuration file. X# the policy(1) client of argus(1) can read Cisco access control X# definitions, which can be used as a filter to show log entries X# that should be blocked by the policy. X# X# X# Carter Bullard X# Software Engineering Institute X# Carnegie Mellon Univeristy X# X# X# WARNING!! X# this sample Cisco access control list does not enforce a X# viable access control policy. it is presented solely as a X# demonstration of the format of the policy(1) configuration X# file. X Xno ip source-route Xaccess-list 102 permit ip 1.2.3.0 0.0.0.255 3.2.1.0 0.0.0.255 Xaccess-list 102 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Xaccess-list 102 deny udp 1.2.0.0 0.0.255.255 0.0.0.0 255.255.255.255 eq 111 Xaccess-list 102 permit udp 1.2.0.0 0.0.255.255 0.0.0.0 255.255.255.255 Xaccess-list 102 permit tcp 1.2.3.4 0.0.0.0 0.0.0.0 255.255.255.255 established Xaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 2.3.4.5 0.0.0.0 eq 21 Xaccess-list 102 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 25 Xaccess-list 102 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 SHAR_EOF $shar_touch -am 0508141295 'argus-1.5/clients/policy.conf' && chmod 0444 'argus-1.5/clients/policy.conf' || echo 'restore of argus-1.5/clients/policy.conf failed' shar_count="`wc -c < 'argus-1.5/clients/policy.conf'`" test 1744 -eq "$shar_count" || echo "argus-1.5/clients/policy.conf: original size 1744, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/clients/policy.test ============== if test -f 'argus-1.5/clients/policy.test' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/clients/policy.test (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/clients/policy.test (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/clients/policy.test' && Xno ip source-route Xaccess-list 102 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 Xaccess-list 102 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2049 Xaccess-list 102 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 SHAR_EOF $shar_touch -am 0508141295 'argus-1.5/clients/policy.test' && chmod 0444 'argus-1.5/clients/policy.test' || echo 'restore of argus-1.5/clients/policy.test failed' shar_count="`wc -c < 'argus-1.5/clients/policy.test'`" test 255 -eq "$shar_count" || echo "argus-1.5/clients/policy.test: original size 255, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/clients/template.c ============== if test -f 'argus-1.5/clients/template.c' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/clients/template.c (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/clients/template.c (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/clients/template.c' && X X/* X * Copyright (c) 1993, 1994 Carnegie Mellon University. X * All rights reserved. X * X * Permission to use, copy, modify, and distribute this software and X * its documentation for any purpose and without fee is hereby granted, X * provided that the above copyright notice appear in all copies and X * that both that copyright notice and this permission notice appear X * in supporting documentation, and that the name of CMU not be X * used in advertising or publicity pertaining to distribution of the X * software without specific, written prior permission. X * X * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING X * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL X * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR X * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, X * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, X * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS X * SOFTWARE. X * X */ X X/* X * template - argus client template. X * X * this module should define these routines: X * X * (void) usage ((char *) argv[0]); X * this routine should print the standard usage message X * for the specific application. X * X * init (); X * this is the application specific init X * routine, which is called after all parsing X * initialization is done, prior to reading the X * first argus(1) datum. X * X * (void) clientTimeout (); X * this routine is called every second, when X * the argus client is connected to a remote X * data source using the -S flag. X * X * process_tcp ((struct writeStruct *) ptr); X * this routine should process tcp events; X * X * process_udp ((struct writeStruct *) ptr); X * this routine should process tcp events; X * X * process_icmp ((struct writeStruct *) ptr); X * this routine should process tcp events; X * X * process_ip ((struct writeStruct *) ptr); X * this routine should process tcp events; X * X * (void) argus_parse_complete (); X * this routine will be called after all the X * monitor data has been read. X * X * X * written by Carter Bullard X * Software Engineering Institute X * Carnegie Mellon Univeristy X * X */ X X#define ARGUS_CLIENT X X#include X#include X X#include X X#include X#include X X Xchar *appOptstring = NULL; Xextern int major_version, minor_version; X Xinit () {} X Xvoid argus_parse_complete () {} X Xvoid clientTimeout () {} X Xparse_arg (argc, argv) Xint argc; Xchar**argv; X{} X Xvoid Xusage (ptr) Xchar *ptr; X{ X exit(1); X} X X Xprocess_tcp (ptr) Xstruct writeStruct *ptr; X{ X} X X Xprocess_icmp (ptr) Xstruct writeStruct *ptr; X{ X} X Xprocess_udp (ptr) Xstruct writeStruct *ptr; X{ X} X Xprocess_ip (ptr) Xstruct writeStruct *ptr; X{ X} X SHAR_EOF $shar_touch -am 0508141295 'argus-1.5/clients/template.c' && chmod 0444 'argus-1.5/clients/template.c' || echo 'restore of argus-1.5/clients/template.c failed' shar_count="`wc -c < 'argus-1.5/clients/template.c'`" test 3047 -eq "$shar_count" || echo "argus-1.5/clients/template.c: original size 3047, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/clients/services.c ============== if test -f 'argus-1.5/clients/services.c' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/clients/services.c (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/clients/services.c (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/clients/services.c' && X X/* X * Copyright (c) 1993, 1994 Carnegie Mellon University. X * All rights reserved. X * X * Permission to use, copy, modify, and distribute this software and X * its documentation for any purpose and without fee is hereby granted, X * provided that the above copyright notice appear in all copies and X * that both that copyright notice and this permission notice appear X * in supporting documentation, and that the name of CMU not be X * used in advertising or publicity pertaining to distribution of the X * software without specific, written prior permission. X * X * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING X * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL X * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR X * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, X * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, X * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS X * SOFTWARE. X * X */ X X/* X * X * services - list services encountered in connection log. X * X * written by Carter Bullard X * Software Engineering Institute X * Carnegie Mellon Univeristy X * X */ X X#define ARGUS_CLIENT X X#include X X#include X X#include X#include X#include X#ifndef SOLARIS X#include X#endif X#include X#include X X#include X X#include X#include X X#include X X#include X#include X#include X#include X X#include X#include X#include X#include X#include X Xchar *appOptstring = NULL; Xextern int major_version, minor_version; X X X X#define SRC 1 X#define DST 2 X Xstruct TCP_seq_hash *connections = NULL; Xstruct QUEUE net_objects; Xstruct QUEUE networks; X Xstruct NETWORK *net_hash_seq [TSEQ_HASHSIZE]; Xstruct NET_OBJECT *net_obj_hash_seq [TSEQ_HASHSIZE]; X Xextern u_long ipaddrtonetmask (); Xextern u_long thisnet, localnet, localnetnumber, netmask; X Xstruct NET_OBJECT *net_object_hash (); Xstruct NET_OBJECT *new_net_object_hash (); X Xstruct NETWORK *network_hash (); Xstruct NETWORK *new_network_hash_entry (); Xstruct NETWORK this_phys_net; X Xint network_compare (); Xint net_obj_compare (); X Xextern char *progname; X X Xint Qflag = 0; Xint Lflag = 0; Xint fflag = 0; Xint Dflag = 0; X X Xint argus_parse_complete (); Xstruct NET_OBJECT total_net_obj; X Xinit () X{ X bzero ((char *) &net_objects, sizeof (struct QUEUE)); X bzero ((char *) &networks, sizeof (struct QUEUE)); X bzero ((char *) &this_phys_net, sizeof (struct NETWORK)); X bzero ((char *) &total_net_obj, sizeof (struct NET_OBJECT)); X (void) signal (SIGPIPE, SIG_IGN); X (void) signal (SIGHUP, (void (*)()) argus_parse_complete); X (void) signal (SIGINT, (void (*)()) argus_parse_complete); X (void) signal (SIGTERM, (void (*)()) argus_parse_complete); X (void) signal (SIGQUIT, (void (*)()) argus_parse_complete); X X dflag = sflag = 1; X} X Xargus_parse_complete () X{ X struct PORT *ptr, *startPtr; X putchar ('\n'); X X if (total_stats.cons) { X printf ("%s\n", cmdline); X print_stats_data ("Total Cons ", total_stats); X printf ("\n port cons src b/pkt dst b/pkt"); X printf (" secs\n"); X printf (" mean(sd) mean(sd)"); X printf (" mean(sd)\n"); X X print_port_stats_data (" ", total_net_obj.ports); X printf ("\n"); X } else X printf ("No connections seen\n"); X exit (0); X} X X Xvoid clientTimeout () {} Xparse_arg (argc, argv) Xint argc; Xchar **argv; X{} X Xvoid Xusage (ptr) Xchar *ptr; X{ X fprintf (stderr, "usage: %s [-bchmnEIMNORTWX] ", ptr); X fprintf (stderr, "[-C access-file] "); X fprintf (stderr, "[-d debug-level]\n"); X fprintf (stderr, " [-r input_file] "); X fprintf (stderr, "[-w output_file] "); X fprintf (stderr, "[-F file] [-P port]\n"); X fprintf (stderr, " [-S argus_server] expression.\n"); X fprintf (stderr, "options: b - dump packet-matching code.\n"); X fprintf (stderr, " c - print packet and byte counts.\n"); X fprintf (stderr, " C - specify Cisco access-file.\n"); X fprintf (stderr, " h - print help.\n"); X fprintf (stderr, " m - print MAC addresses.\n"); X fprintf (stderr, " n - don't convert numbers to names.\n"); X fprintf (stderr, " r - read Argus input file.\n"); X fprintf (stderr, " w - write Argus output file.\n"); X fprintf (stderr, " P - specify remote argus port.\n"); X fprintf (stderr, " S - specify remote argus host.\n"); X fprintf (stderr, " E - use ESTABLISHED transactions.\n"); X fprintf (stderr, " I - use extended ICMP status.\n"); X fprintf (stderr, " F - use file to define filter expression.\n"); X fprintf (stderr, " M - use MULTIROUTE transactions.\n"); X fprintf (stderr, " N - use NORMAL_CLOSED transactions.\n"); X fprintf (stderr, " O - use transactions with ip OPTIONS.\n"); X fprintf (stderr, " R - use RESET transactions.\n"); X fprintf (stderr, " T - use TIMEDOUT transactions.\n"); X fprintf (stderr, " W - use WINDOW_SHUT transactions.\n"); X fprintf (stderr, " X - use PKTS_RETRANS transactions.\n"); X exit(1); X} X Xprocess (ptr, seconds) Xstruct writeStruct *ptr; Xdouble seconds; X{ X if (!(ptr->status & DETAIL)) X do_stats (ptr, NULL, 0, seconds); X} X X Xprocess_icmp (ptr) Xstruct writeStruct *ptr; X{ X} X Xprocess_tcp (ptr) Xstruct writeStruct *ptr; X{ X double seconds; X X if ((ptr->status & CON_ESTABLISHED) && (ptr->status & (SAW_SYN_SENT | SAW_SYN ))) { X seconds = (double)(((double)(ptr->lasttime.tv_sec-ptr->startime.tv_sec)) X + ((ptr->lasttime.tv_usec - ptr->startime.tv_usec)/1000000.0)); X X process (ptr, seconds); X } X} X Xprocess_udp (ptr) Xstruct writeStruct *ptr; X{ X double seconds; X X if ((ptr->src_count == 1) && (ptr->dst_count == 1)) { X seconds = (double)(((double)(ptr->lasttime.tv_sec-ptr->startime.tv_sec)) X + ((ptr->lasttime.tv_usec - ptr->startime.tv_usec)/1000000.0)); X X if (seconds < 120.0) X process (ptr, seconds); X } X} X Xprocess_ip (ptr) Xstruct writeStruct *ptr; X{ X} X X Xdo_stats (ptr, net_obj, index, seconds) Xstruct writeStruct *ptr; Xstruct NET_OBJECT *net_obj; Xint index; Xdouble seconds; X{ X int i; X struct STATISTICS *stats; X X if (net_obj) { X if (net_obj->group) X do_stats (ptr, net_obj->group, index, seconds); X X switch (index) { X case SRC: stats = &net_obj->src_stats; break; X case DST: stats = &net_obj->dst_stats; break; X default: break; X } X } else X stats = &total_stats; X X if (ptr->src_bytes > 0) { X do_particular_stats (ptr, stats, seconds); X X if ((index == DST) || !(net_obj)) X do_port_stats (ptr, net_obj, seconds); X } X} X X Xdo_port_stats (ptr, net_obj, seconds) Xstruct writeStruct *ptr; Xstruct NET_OBJECT *net_obj; Xdouble seconds; X{ X struct PORT *ports, *portStart, *port; X struct STATISTICS *stats = NULL; X unsigned short dstPort, srcPort, proto; X struct NET_OBJECT *object; X X srcPort = ((unsigned short *) &ptr->addr.port)[0]; X dstPort = ((unsigned short *) &ptr->addr.port)[1]; X X proto = (ptr->status & TCPPROTO) ? TCP : X (ptr->status & UDPPROTO) ? UDP : 0; X if ((srcPort != 20) && (srcPort != 6000)) { X object = (net_obj) ? net_obj : &total_net_obj; X X ports = portStart = object->ports; X if (ports) { X do { X if ((ports->port > dstPort) || X ((ports->port == dstPort) && (ports->proto == proto))) X break; X ports = ports->nxt; X } while (ports != portStart); X X if ((ports->port == dstPort) && (ports->proto == proto)) X stats = &ports->stats; X } X X if (!stats) X if (port = (struct PORT *) calloc (1, sizeof (struct PORT))) { X if (!ports) { X port->prv = port; X port->nxt = port; X object->ports = port; X } else { X port->nxt = ports; X port->prv = ports->prv; X ports->prv = port; X port->prv->nxt = port; X X } X stats = &port->stats; X port->port = dstPort; X port->proto = proto; X if (object->ports->port > dstPort) object->ports = port; X } X X if (stats) X do_particular_stats (ptr, stats, seconds); X } X} X X Xdo_particular_stats (ptr, stats, seconds) Xstruct writeStruct *ptr; Xstruct STATISTICS *stats; Xdouble seconds; X{ X double bppkt = 0.0; X int src_count, dst_count, src_bytes, dst_bytes; X X src_count = (ptr->src_count > 0) ? ptr->src_count : 0; X dst_count = (ptr->dst_count > 0) ? ptr->dst_count : 0; X src_bytes = (ptr->src_bytes > 0) ? ptr->src_bytes : 0; X dst_bytes = (ptr->dst_bytes > 0) ? ptr->dst_bytes : 0; X X stats->cons++; X stats->secs += seconds; X stats->secs_sqrd += pow (seconds, 2.0); X X stats->src.pkts += src_count; stats->dst.pkts += dst_count; X stats->src.bytes += src_bytes; stats->dst.bytes += dst_bytes; X X stats->src.pkts_sqrd += pow (src_count, 2.0); X stats->dst.pkts_sqrd += pow (dst_count, 2.0); X X stats->src.bytes_sqrd += pow (src_bytes, 2.0); X stats->dst.bytes_sqrd += pow (dst_bytes, 2.0); X X if (src_count) { X double bppkt = (double) src_bytes/src_count; X stats->src.bytes_per_pkt += bppkt; X stats->src.bytes_per_pkt_sqrd += pow (bppkt, 2.0); X } X if (dst_count) { X double bppkt = (double) dst_bytes/dst_count; X stats->dst.bytes_per_pkt += bppkt; X stats->dst.bytes_per_pkt_sqrd += pow (bppkt, 2.0); X } X} X X X X#include X X#include X Xchar output_string [256]; X X Xstruct NET_OBJECT *net_object_hash (ip_addr) Xu_long ip_addr; X{ X register struct NET_OBJECT *net_obj = NULL; X register struct IP_ENTRY *ip = NULL; X register int i, n, found = 0; X register u_long hash = 0; X register u_char *ptr; X X for (i = 0, ptr = (u_char *) &ip_addr; i < sizeof (u_long); i++) X hash += *ptr++; X X if (net_obj = net_obj_hash_seq [hash]) X for (; net_obj; net_obj = (struct NET_OBJECT *) net_obj->nxt) X if (net_obj->ip_addr->addr == ip_addr) { X found = 1; break; X } X X if (!found) { X if (net_obj = new_net_object_hash (hash)) { X if (ip = (struct IP_ENTRY *) calloc (1, sizeof (struct IP_ENTRY))) { X ip->addr = ip_addr; X net_obj->ip_addr = ip; X } X X add_to_queue (&net_objects, net_obj); X } X } X X return (net_obj); X} X X X Xstruct NET_OBJECT *new_net_object_hash (hash) Xu_long hash; X{ X register struct NET_OBJECT *net_obj = NULL; X X if (net_obj = (struct NET_OBJECT *) calloc (1, sizeof (struct NET_OBJECT))) { X net_obj->nxt = net_obj_hash_seq [hash]; X net_obj_hash_seq [hash] = net_obj; X net_obj->type = MACHINE; X net_obj->index = total_hosts++; X } X X return (net_obj); X} X X X Xstruct NETWORK *network_hash (ip_addr) Xu_long ip_addr; X{ X register struct NETWORK *net = NULL; X register int found = 0; X register u_long hash; X register u_long mask, netnumber; X X mask = ipaddrtonetmask (ip_addr); X netnumber = getnetnumber (ip_addr & mask); X hash = netnumber % TSEQ_HASHSIZE; X X if (net = net_hash_seq [hash]) X for (; net; net = net->nxt) X if (net->ip_net == netnumber) { X found = 1; break; X } X X if (!found) { X if (net = new_network_hash_entry (hash)) { X net->ip_mask = mask; X net->ip_net = netnumber; X net->net.net = net; X net->net.type = NET; X add_to_queue (&networks, net); X } X } X X return (net); X} X X X Xstruct NETWORK *new_network_hash_entry (hash) Xu_long hash; X{ X register struct NETWORK *net = NULL; X X if (net = (struct NETWORK *) calloc (1, sizeof (struct NETWORK))) { X net->nxt = net_hash_seq [hash]; X net->net.type = NET; X net_hash_seq [hash] = net; X total_nets++; X } X X return (net); X} X Xadd_obj_to_net (obj, net) Xstruct NET_OBJECT *obj; Xstruct NETWORK *net; X{ X struct NET_OBJECT_PTR *objPtr, *netObj, *startObj; X X if (obj && net) { X if (startObj = netObj = net->ent) { X do { X if (netObj->net_obj->ip_addr->addr >= obj->ip_addr->addr) X break; X netObj = netObj->nxt; X } while (netObj != startObj); X } X X if (!netObj || X (netObj && netObj->net_obj->ip_addr->addr != obj->ip_addr->addr)) { X if (objPtr = (struct NET_OBJECT_PTR *) X calloc (1, sizeof (struct NET_OBJECT_PTR))) { X objPtr->net_obj = obj; X objPtr->prv = objPtr; objPtr->nxt = objPtr; X } X if (netObj) { X objPtr->nxt = netObj; X objPtr->prv = netObj->prv; X netObj->prv = objPtr; X objPtr->prv->nxt = objPtr; X if (startObj->net_obj->ip_addr->addr > obj->ip_addr->addr) X net->ent = objPtr; X } else X net->ent = objPtr; X } X } X} X Xprint_host_datum (net) Xstruct NETWORK *net; X{ X struct NET_OBJECT_PTR *ent; X X ent = net->ent; X X if (ent) { X do { X printf ("\n%14.14s ", ipaddr_string (&ent->net_obj->ip_addr->addr)); X if (ent->net_obj->dst_stats.cons) { X print_stats_data ("dst", &ent->net_obj->dst_stats); X print_port_stats_data (" ", ent->net_obj->ports); X if (ent->net_obj->src_stats.cons) X printf ("\n%14.14s ", " "); X } X if (ent->net_obj->src_stats.cons) X print_stats_data ("src", &ent->net_obj->src_stats); X X ent = ent->nxt; X } while (ent != net->ent); X } X} X Xprint_net_datum (net) Xstruct NETWORK *net; X{ X struct NET_OBJECT *ptr; X X ptr = &net->net; X X if (ptr->dst_stats.cons || ptr->src_stats.cons) { X printf ("\n%14.14s ", getnetname (net->ip_net)); X if (ptr->dst_stats.cons) { X print_stats_data ("dst", &ptr->dst_stats); X print_port_stats_data (" ", ptr->ports); X X if (ptr->src_stats.cons) X printf ("\n%14.14s ", " "); X } X X if (ptr->src_stats.cons) X print_stats_data ("src", &ptr->src_stats); X } X} X Xprint_port_stats_data (string, port) Xchar *string; Xstruct PORT *port; X{ X struct PORT *start; X char str [256], *servstr, *protostr; X X if (start = port) { X do { X if (port->stats.src.bytes != 0) { X switch (port->proto) { X case TCP: servstr = tcpport_string(port->port); X protostr = "tcp"; break; X case UDP: servstr = udpport_string(port->port); X protostr = "udp"; break; X default: servstr = " "; X protostr = "unk"; break; X } X sprintf (str, "\n%s %s %6.6s ", string, protostr, servstr); X print_stats_data (str, &port->stats); X } X port = port->nxt; X } while (port != start); X } X} X Xprint_stats_data (string, stats) Xchar *string; Xstruct STATISTICS *stats; X{ X int cons = stats->cons, i; X struct STAT *stat; X double bppk, secs, secs_sqrd, bppk_sqrd, pktsvar, secsvar; X char buf[256], *ptr, tmp[256]; X X printf ("%3s %6d ", string, cons); X X for (i = 0; i < 2; i++) { X stat = (i) ? &stats->dst : &stats->src; X X bppk = stat->bytes_per_pkt; X bppk_sqrd = stat->bytes_per_pkt_sqrd, pktsvar; X X pktsvar = (double) bppk_sqrd/(double) cons X - pow (bppk/(double) cons, 2.0); X pktsvar = (pktsvar > 0) ? pktsvar : 0; X sprintf (buf, "%7.2f", bppk / (double) cons); X sprintf (tmp, "(%2.2f)", sqrt (pktsvar)); X ptr = buf + strlen (buf); X sprintf (ptr, "%-9s", tmp); X X printf ("%s ", buf); X } X X secs = stats->secs; X secs_sqrd = stats->secs_sqrd; X secsvar = (double) secs_sqrd/(double) cons - pow (secs/(double) cons, 2.0); X secsvar = (secsvar > 0) ? secsvar : 0; X X sprintf (buf, "%7.2f", stats->secs / (double) cons); X sprintf (tmp, "(%2.2f)", sqrt (secsvar)); X ptr = buf + strlen (buf); X sprintf (ptr, "%-9s", tmp); X printf ("%s ", buf); X} X X Xint Xnetwork_compare (ptr1, ptr2) Xstruct NETWORK **ptr1, **ptr2; X{ X register int retn = 0; X X if (!dflag) { X if (!(retn = ((*ptr2)->net.src_stats.cons - (*ptr1)->net.src_stats.cons))) X if (!(retn = ((*ptr2)->net.src_stats.src.pkts - X (*ptr1)->net.src_stats.src.pkts))) X retn = ((*ptr2)->net.src_stats.secs - (*ptr1)->net.src_stats.secs); X X } else X if (!sflag) { X if (!(retn = ((*ptr2)->net.dst_stats.cons - (*ptr1)->net.dst_stats.cons))) X if (!(retn = ((*ptr2)->net.dst_stats.dst.pkts - X (*ptr1)->net.dst_stats.dst.pkts))) X retn = ((*ptr2)->net.dst_stats.secs - (*ptr1)->net.dst_stats.secs); X X } else X if (!(retn = (((*ptr2)->net.src_stats.cons + X (*ptr2)->net.dst_stats.cons) - X ((*ptr1)->net.src_stats.cons + X (*ptr1)->net.dst_stats.cons)))) X if (!(retn = (((*ptr2)->net.src_stats.src.pkts + X (*ptr2)->net.dst_stats.dst.pkts) - X ((*ptr1)->net.src_stats.src.pkts + X (*ptr1)->net.dst_stats.dst.pkts)))) X retn = (((*ptr2)->net.src_stats.secs + X (*ptr2)->net.dst_stats.secs) - X ((*ptr1)->net.src_stats.secs + X (*ptr1)->net.dst_stats.secs)); X X return (retn); X} X X Xint Xnet_obj_compare (ptr1, ptr2) Xstruct NET_OBJECT **ptr2, **ptr1; X{ X register int retn = 0; X X if (!sflag) { X if (!(retn = ((*ptr2)->src_stats.cons - (*ptr1)->src_stats.cons))) X if (!(retn = ((*ptr2)->src_stats.src.pkts - X (*ptr1)->src_stats.src.pkts))) X retn = ((*ptr2)->src_stats.secs - (*ptr1)->src_stats.secs); X X } else X if (!dflag) { X if (!(retn = ((*ptr2)->dst_stats.cons - (*ptr1)->dst_stats.cons))) X if (!(retn = ((*ptr2)->dst_stats.dst.pkts - X (*ptr1)->dst_stats.dst.pkts))) X retn = ((*ptr2)->dst_stats.secs - (*ptr1)->dst_stats.secs); X X } else X if (!(retn = (((*ptr2)->src_stats.cons + (*ptr2)->dst_stats.cons) - X ((*ptr1)->src_stats.cons + (*ptr1)->dst_stats.cons)))) X if (!(retn = (((*ptr2)->src_stats.src.pkts + X (*ptr2)->dst_stats.dst.pkts) - X ((*ptr1)->src_stats.src.pkts + X (*ptr1)->dst_stats.dst.pkts)))) X retn = (((*ptr2)->src_stats.secs + (*ptr2)->dst_stats.secs) - X ((*ptr1)->src_stats.secs + (*ptr1)->dst_stats.secs)); X X return (retn); X} X X X Xsort_networks (argv, queue) Xchar **argv; Xstruct QUEUE *queue; X{ X X register struct NETWORK *ptr; X register struct NETWORK **array; X register int i, count = queue->count; X char startdate [32], enddate [32]; X double total_pktsvar, total_secsvar; X X X if (array = (struct NETWORK **)calloc(1,sizeof(struct NETWORK *)*count)) { X ptr = (struct NETWORK *) queue->start; X for (i = 0; i < count; i++, ptr = (struct NETWORK *) ptr->queue.nxt) X array[i] = ptr; X } X X qsort ((char *) array, count, sizeof (struct NETWORK *), network_compare); X X for (i = 0; i < count; i++) X print_host_datum (array [i]); X X printf ("\n\n"); X} X X X#define HASHNAMESIZE 4096 X#define STAYOPEN 1 X Xstruct nnamemem { X long addr; X char *name; X struct nnamemem *nxt; X}; X Xextern struct nnamemem *nnametable [HASHNAMESIZE]; X Xnetwork_db_init () X{ X register struct nnamemem *ptr; X register struct netent *n; X X setnetent (STAYOPEN); X while (n = getnetent ()) { X if (ptr = (struct nnamemem *) calloc (1, sizeof (struct nnamemem))) { X ptr->addr = n->n_net; X ptr->name = strdup (n->n_name); X ptr->nxt = nnametable[ptr->addr & (HASHNAMESIZE - 1)]; X nnametable[n->n_net & (HASHNAMESIZE - 1)] = ptr; X } X } X X endnetent (); X} SHAR_EOF $shar_touch -am 0508141295 'argus-1.5/clients/services.c' && chmod 0444 'argus-1.5/clients/services.c' || echo 'restore of argus-1.5/clients/services.c failed' shar_count="`wc -c < 'argus-1.5/clients/services.c'`" test 20220 -eq "$shar_count" || echo "argus-1.5/clients/services.c: original size 20220, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/clients/README ============== if test -f 'argus-1.5/clients/README' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/clients/README (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/clients/README (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/clients/README' && X X/* X * Copyright (c) 1993, 1994, 1995 Carnegie Mellon University. X * All rights reserved. X * X * Permission to use, copy, modify, and distribute this software and X * its documentation for any purpose and without fee is hereby granted, X * provided that the above copyright notice appear in all copies and X * that both that copyright notice and this permission notice appear X * in supporting documentation, and that the name of CMU not be X * used in advertising or publicity pertaining to distribution of the X * software without specific, written prior permission. X * X * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING X * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL X * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR X * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, X * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, X * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS X * SOFTWARE. X * X */ X XArgus clients directory. X XManifest: X-r--r--r-- 1 argus software 3955 Apr 20 17:19 Makefile.in X-rw-rw-r-- 1 argus software 1744 Apr 19 15:41 policy.conf X-rw-rw-r-- 1 argus software 255 Dec 14 15:37 policy.test X-r--r--r-- 1 argus software 22331 Apr 11 14:05 ra.c X-rw-r--r-- 1 argus software 20220 Apr 20 17:38 services.c X-r--r--r-- 1 argus software 3047 Feb 8 16:02 template.c X XThis directory contains example programs that read Argus data, either Xfrom stdin, Argus data files or directly from a remote Argus server. XFor a complete description of these routines, refer to their man pages. X XThis is just a sample of the clients that we use at the Software XEngineering Institute. We encourage you to write your own. X X Xra.c X read_argus - This routine is a generic linear search database X routine for reading Argus data from either logs or from a remote X active Argus server. Ra uses tcpdump expressions to specify its X selection criteria. We use this routine a lot. X Xservices.c X print services - This routine prints out the destination port numbers X used in the transactions seen in an Argus data stream. This is very X useful for generating reports on how hosts are being used. X Xtemplate.c X Template.c is a template for building Argus clients, using the X utilities in this directory and those in ../common. Both ra.c and X services.c used template.c as a beginning. There is a Makefile X entry for template. If you use template.c as a basis for your own X clients, try our Makefile strategy, which makes linking the X appropriate routines out of ../common easier. X X Xpolicy.conf Xpolicy.test X These are data examples of a feature of Argus clients, where X you can use Cisco access control lists to define your X selection criteria. Argus data entries that violate the X access control list will be selected. This feature can be used X to validate network access control policies. X SHAR_EOF $shar_touch -am 0508141295 'argus-1.5/clients/README' && chmod 0444 'argus-1.5/clients/README' || echo 'restore of argus-1.5/clients/README failed' shar_count="`wc -c < 'argus-1.5/clients/README'`" test 2992 -eq "$shar_count" || echo "argus-1.5/clients/README: original size 2992, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/include/addrtoname.h ============== if test ! -d 'argus-1.5/include'; then echo 'x - creating directory argus-1.5/include' mkdir 'argus-1.5/include' fi if test -f 'argus-1.5/include/addrtoname.h' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/include/addrtoname.h (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/include/addrtoname.h (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/include/addrtoname.h' && X/* X * Copyright (c) 1990, 1992, 1993, 1994 X * The Regents of the University of California. All rights reserved. X * X * Redistribution and use in source and binary forms, with or without X * modification, are permitted provided that: (1) source code distributions X * retain the above copyright notice and this paragraph in its entirety, (2) X * distributions including binary code include the above copyright notice and X * this paragraph in its entirety in the documentation or other materials X * provided with the distribution, and (3) all advertising materials mentioning X * features or use of this software display the following acknowledgement: X * ``This product includes software developed by the University of California, X * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of X * the University nor the names of its contributors may be used to endorse X * or promote products derived from this software without specific prior X * written permission. X * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED X * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF X * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. X * X * @(#) $Header: /usr/users/poepping/src/argus/argus-1.5/include/RCS/addrtoname.h,v 1.1 1995/02/08 21:05:33 poepping Exp $ (LBL) X */ X X/* Name to address translation routines. */ X Xextern char *etheraddr_string(u_char *); Xextern char *etherproto_string(u_short); Xextern char *tcpport_string(u_short); Xextern char *udpport_string(u_short); Xextern char *getname(u_char *); Xextern char *intoa(u_int32); X Xextern void init_addrtoname(int, u_int32, u_int32); X X#define ipaddr_string(p) getname((u_char *)(p)) SHAR_EOF $shar_touch -am 0508141295 'argus-1.5/include/addrtoname.h' && chmod 0444 'argus-1.5/include/addrtoname.h' || echo 'restore of argus-1.5/include/addrtoname.h failed' shar_count="`wc -c < 'argus-1.5/include/addrtoname.h'`" test 1678 -eq "$shar_count" || echo "argus-1.5/include/addrtoname.h: original size 1678, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/include/argus.h ============== if test -f 'argus-1.5/include/argus.h' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/include/argus.h (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/include/argus.h (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/include/argus.h' && X X/* X * Copyright (c) 1993, 1994 Carnegie Mellon University. X * All rights reserved. X * X * Permission to use, copy, modify, and distribute this software and X * its documentation for any purpose and without fee is hereby granted, X * provided that the above copyright notice appear in all copies and X * that both that copyright notice and this permission notice appear X * in supporting documentation, and that the name of CMU not be X * used in advertising or publicity pertaining to distribution of the X * software without specific, written prior permission. X * X * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING X * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL X * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR X * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, X * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, X * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS X * SOFTWARE. X * X */ X X#include X#include X#include X#include X#include X#include X#include X#include X#include X#include X X#include X#include X Xvoid cons_init (); Xint updatetime (); Xvoid check_timeouts (); Xvoid argus_loop (); Xvoid cleanup (); Xvoid usr1sig (); Xvoid usr2sig (); Xvoid usage (); Xint add_to_queue (); Xvoid remove_from_queue (); Xvoid update_queue_status (); Xchar *copy_argv (); Xchar *read_infile (); Xvoid aerror (); Xvoid bpf_dump (); X Xvoid cons_ether_init (); Xvoid cons_ether_packet (); Xvoid cons_fddi_packet (); Xvoid cons_icmp (); Xvoid cons_ip_init (); Xvoid argus_ip_handler (); Xvoid check_ip_timeouts (); Xvoid cons_socket_init (); Xvoid writeOutData (); Xint establish_listen (); Xvoid check_tcp_timeouts (); Xvoid check_client_status (); Xvoid close_clients (); Xvoid cons_tcp_init (); Xvoid cons_tcp (); Xvoid log_tcp_connection (); Xvoid log_udp_connection (); Xvoid log_ip_connection (); SHAR_EOF : || echo 'restore of argus-1.5/include/argus.h failed' fi echo 'End of archive part 1' echo 'File argus-1.5/include/argus.h is continued in part 2' echo 2 > _sharseq.tmp exit 0