Newsgroups: comp.sources.unix From: argus@SEI.CMU.EDU Subject: v29i036: argus-1.5 - a generic IP network transaction auditing tool, Part06/06 References: <1.813909952.2078@gw.home.vix.com> Sender: unix-sources-moderator@gw.home.vix.com Approved: vixie@gw.home.vix.com Submitted-By: argus@SEI.CMU.EDU Posting-Number: Volume 29, Issue 36 Archive-Name: argus-1.5/part06 #!/bin/sh # This is `part06' (part 6 of a multipart archive). # Do not concatenate these parts, unpack them in order with `/bin/sh'. # File `argus-1.5/man/man1/tcpdump.1' is being continued... # touch -am 1231235999 $$.touch >/dev/null 2>&1 if test ! -f 1231235999 && test -f $$.touch; then shar_touch=touch else shar_touch=: echo echo 'WARNING: not restoring timestamps. Consider getting and' echo "installing GNU \`touch', distributed in GNU File Utilities..." echo fi rm -f 1231235999 $$.touch # if test ! -r _sharseq.tmp; then echo 'Please unpack part 1 first!' exit 1 fi shar_sequence=`cat _sharseq.tmp` if test "$shar_sequence" != 6; then echo "Please unpack part $shar_sequence next!" exit 1 fi if test ! -f _sharnew.tmp; then echo 'x - still skipping argus-1.5/man/man1/tcpdump.1' else echo 'x - continuing file argus-1.5/man/man1/tcpdump.1' sed 's/^X//' << 'SHAR_EOF' >> 'argus-1.5/man/man1/tcpdump.1' && Xthe sequence number (or sequence number and ack) has changed. XIf it is not a special case, Xzero or more changes are printed. XA change is indicated by U (urgent pointer), W (window), A (ack), XS (sequence number), and I (packet ID), followed by a delta (+n or -n), Xor a new value (=n). XFinally, the amount of data in the packet and compressed header length Xare printed. X.LP XFor example, the following line shows an outbound compressed TCP packet, Xwith an implicit connection identifier; the ack has changed by 6, Xthe sequence number by 49, and the packet ID by 6; there are 3 bytes of Xdata and 6 bytes of compressed header: X.RS X.nf X\fBO ctcp * A+6 S+49 I+6 3 (6)\fP X.fi X.RE X.HD XARP/RARP Packets X.LP XArp/rarp output shows the type of request and its arguments. The Xformat is intended to be self explanatory. XHere is a short sample taken from the start of an `rlogin' from Xhost \fIrtsg\fP to host \fIcsam\fP: X.RS X.nf X.sp .5 X\f(CWarp who-has csam tell rtsg Xarp reply csam is-at CSAM\fP X.sp .5 X.fi X.RE XThe first line says that rtsg sent an arp packet asking Xfor the ethernet address of internet host csam. Csam Xreplies with its ethernet address (in this example, ethernet addresses Xare in caps and internet addresses in lower case). X.LP XThis would look less redundant if we had done \fBtcpdump \-n\fP: X.RS X.nf X.sp .5 X\f(CWarp who-has 128.3.254.6 tell 128.3.254.68 Xarp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP X.fi X.RE X.LP XIf we had done \fBtcpdump \-e\fP, the fact that the first packet is Xbroadcast and the second is point-to-point would be visible: X.RS X.nf X.sp .5 X\f(CWRTSG Broadcast 0806 64: arp who-has csam tell rtsg XCSAM RTSG 0806 64: arp reply csam is-at CSAM\fP X.sp .5 X.fi X.RE XFor the first packet this says the ethernet source address is RTSG, the Xdestination is the broadcast address, the type field Xcontained hex 0806 (type ETHER_ARP) and the total length was 64 bytes. X.HD XTCP Packets X.LP X\fI(N.B.:The following description assumes familiarity with Xthe TCP protocol described in RFC-793. If you are not familiar Xwith the protocol, neither this description nor tcpdump will Xbe of much use to you.)\fP X.LP XThe general format of a tcp protocol line is: X.RS X.nf X.sp .5 X\fIsrc > dst: flags data-seqno ack window urgent options\fP X.sp .5 X.fi X.RE X\fISrc\fP and \fIdst\fP are the source and destination IP Xaddresses and ports. \fIFlags\fP are some combination of S (SYN), XF (FIN), P (PUSH) or R (RST) or a single `.' (no flags). X\fIData-seqno\fP describes the portion of sequence space covered Xby the data in this packet (see example below). X\fIAck\fP is sequence number of the next data expected the other Xdirection on this connection. X\fIWindow\fP is the number of bytes of receive buffer space available Xthe other direction on this connection. X\fIUrg\fP indicates there is `urgent' data in the packet. X\fIOptions\fP are tcp options enclosed in angle brackets (e.g., ). X.LP X\fISrc, dst\fP and \fIflags\fP are always present. The other fields Xdepend on the contents of the packet's tcp protocol header and Xare output only if appropriate. X.LP XHere is the opening portion of an rlogin from host \fIrtsg\fP to Xhost \fIcsam\fP. X.RS X.nf X.sp .5 X\s-2\f(CWrtsg.1023 > csam.login: S 768512:768512(0) win 4096 Xcsam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 Xrtsg.1023 > csam.login: . ack 1 win 4096 Xrtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096 Xcsam.login > rtsg.1023: . ack 2 win 4096 Xrtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096 Xcsam.login > rtsg.1023: P 1:2(1) ack 21 win 4077 Xcsam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1 Xcsam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1\fP\s+2 X.sp .5 X.fi X.RE XThe first line says that tcp port 1023 on rtsg sent a packet Xto port \fIlogin\fP Xon csam. The \fBS\fP indicates that the \fISYN\fP flag was set. XThe packet sequence number was 768512 and it contained no data. X(The notation is `first:last(nbytes)' which means `sequence Xnumbers \fIfirst\fP Xup to but not including \fIlast\fP which is \fInbytes\fP bytes of user data'.) XThere was no piggy-backed ack, the available receive window was 4096 Xbytes and there was a max-segment-size option requesting an mss of X1024 bytes. X.LP XCsam replies with a similar packet except it includes a piggy-backed Xack for rtsg's SYN. Rtsg then acks csam's SYN. The `.' means no Xflags were set. XThe packet contained no data so there is no data sequence number. XNote that the ack sequence Xnumber is a small integer (1). The first time \fBtcpdump\fP sees a Xtcp `conversation', it prints the sequence number from the packet. XOn subsequent packets of the conversation, the difference between Xthe current packet's sequence number and this initial sequence number Xis printed. This means that sequence numbers after the Xfirst can be interpreted Xas relative byte positions in the conversation's data stream (with the Xfirst data byte each direction being `1'). `-S' will override this Xfeature, causing the original sequence numbers to be output. X.LP XOn the 6th line, rtsg sends csam 19 bytes of data (bytes 2 through 20 Xin the rtsg \(-> csam side of the conversation). XThe PUSH flag is set in the packet. XOn the 7th line, csam says it's received data sent by rtsg up to Xbut not including byte 21. Most of this data is apparently sitting in the Xsocket buffer since csam's receive window has gotten 19 bytes smaller. XCsam also sends one byte of data to rtsg in this packet. XOn the 8th and 9th lines, Xcsam sends two bytes of urgent, pushed data to rtsg. X.HD X.B XUDP Packets X.LP XUDP format is illustrated by this rwho packet: X.RS X.nf X.sp .5 X\f(CWactinide.who > broadcast.who: udp 84\fP X.sp .5 X.fi X.RE XThis says that port \fIwho\fP on host \fIactinide\fP sent a udp Xdatagram to port \fIwho\fP on host \fIbroadcast\fP, the Internet Xbroadcast address. The packet contained 84 bytes of user data. X.LP XSome UDP services are recognized (from the source or destination Xport number) and the higher level protocol information printed. XIn particular, Domain Name service requests (RFC-1034/1035) and Sun XRPC calls (RFC-1050) to NFS. X.HD XUDP Name Server Requests X.LP X\fI(N.B.:The following description assumes familiarity with Xthe Domain Service protocol described in RFC-1035. If you are not familiar Xwith the protocol, the following description will appear to be written Xin greek.)\fP X.LP XName server requests are formatted as X.RS X.nf X.sp .5 X\fIsrc > dst: id op? flags qtype qclass name (len)\fP X.sp .5 X\f(CWh2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37)\fP X.sp .5 X.fi X.RE XHost \fIh2opolo\fP asked the domain server on \fIhelios\fP for an Xaddress record (qtype=A) associated with the name \fIucbvax.berkeley.edu.\fP XThe query id was `3'. The `+' indicates the \fIrecursion desired\fP flag Xwas set. The query length was 37 bytes, not including the UDP and XIP protocol headers. The query operation was the normal one, \fIQuery\fP, Xso the op field was omitted. If the op had been anything else, it would Xhave been printed between the `3' and the `+'. XSimilarly, the qclass was the normal one, X\fIC_IN\fP, and omitted. Any other qclass would have been printed Ximmediately after the `A'. X.LP XA few anomalies are checked and may result in extra fields enclosed in Xsquare brackets: If a query contains an answer, name server or Xauthority section, X.IR ancount , X.IR nscount , Xor X.I arcount Xare printed as `[\fIn\fPa]', `[\fIn\fPn]' or `[\fIn\fPau]' where \fIn\fP Xis the appropriate count. XIf any of the response bits are set (AA, RA or rcode) or any of the X`must be zero' bits are set in bytes two and three, `[b2&3=\fIx\fP]' Xis printed, where \fIx\fP is the hex value of header bytes two and three. X.HD XUDP Name Server Responses X.LP XName server responses are formatted as X.RS X.nf X.sp .5 X\fIsrc > dst: id op rcode flags a/n/au type class data (len)\fP X.sp .5 X\f(CWhelios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273) Xhelios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)\fP X.sp .5 X.fi X.RE XIn the first example, \fIhelios\fP responds to query id 3 from \fIh2opolo\fP Xwith 3 answer records, 3 name server records and 7 authority records. XThe first answer record is type A (address) and its data is internet Xaddress 128.32.137.3. The total size of the response was 273 bytes, Xexcluding UDP and IP headers. The op (Query) and response code X(NoError) were omitted, as was the class (C_IN) of the A record. X.LP XIn the second example, \fIhelios\fP responds to query 2 with a Xresponse code of non-existent domain (NXDomain) with no answers, Xone name server and no authority records. The `*' indicates that Xthe \fIauthoritative answer\fP bit was set. Since there were no Xanswers, no type, class or data were printed. X.LP XOther flag characters that might appear are `\-' (recursion available, XRA, \fInot\fP set) and `|' (truncated message, TC, set). If the X`question' section doesn't contain exactly one entry, `[\fIn\fPq]' Xis printed. X.LP XNote that name server requests and responses tend to be large and the Xdefault \fIsnaplen\fP of 96 bytes may not capture enough of the packet Xto print. Use the \fB\-s\fP flag to increase the snaplen if you Xneed to seriously investigate name server traffic. `\fB\-s 128\fP' Xhas worked well for me. X X.HD XNFS Requests X.LP XSun NFS (Network File System) requests and replies are printed as: X.RS X.nf X.sp .5 X\fIsrc.xid > dst.nfs: len op args\fP X\fIsrc.nfs > dst.xid: reply stat len\fP X.sp .5 X\f(CWvs.e2766 > helios.nfs: 136 readdir fh 6.5197 8192 bytes @ 0 Xhelios.nfs > vs.e2766: reply ok 384 Xvs.e2767 > helios.nfs: 136 lookup fh 6.5197 `RCS'\fP X.sp .5 X.fi X.RE XIn the first line, host \fIvs\fP sends a transaction with id \fIe2766\fP Xto \fIhelios\fP (note that the number following the src host is a Xtransaction id, \fInot\fP the source port). The request was 136 bytes, Xexcluding the UDP and IP headers. The operation was a \fIreaddir\fP X(read directory) on file handle (\fIfh\fP) 6.5197. 8192 bytes are Xread, starting at offset 0. \fIHelios\fP replies `ok' with 384 Xbytes of data. (The design of Sun's RPC protocol makes it difficult to Xinterpret replies. I don't bother.) X.LP XIn the third line, \fIvs\fP asks \fIhelios\fP to lookup the name X`\fIRCS\fP' in directory file 6.5197. Note that the data printed Xdepends on the operation type. The format is intended to be self Xexplanatory (at least, to me) if read in conjunction with Xan NFS protocol spec. X.LP XNote that NFS requests are very large and the above won't be printed Xunless \fIsnaplen\fP is increased. I use `\fB\-s 192\fP' to watch XNFS traffic. X X.HD XKIP Appletalk (DDP in UDP) X.LP XAppletalk DDP packets encapsulated in UDP datagrams are de-encapsulated Xand dumped as DDP packets (i.e., all the UDP header information is Xdiscarded). The file X.I /etc/atalk.names Xis used to translate appletalk net and node numbers to names. XLines in this file have the form X.RS X.nf X.sp .5 X\fInumber name\fP X X\f(CW1.254 ether X16.1 icsd-net X1.254.110 ace\fP X.sp .5 X.fi X.RE XThe first two lines give the names of appletalk networks. The third Xline gives the name of a particular host (a host is distinguished Xfrom a net by the 3rd octet in the number \- Xa net number \fImust\fP have two octets and a host number \fImust\fP Xhave three octets.) The number and name should be separated by Xwhitespace (blanks or tabs). XThe X.I /etc/atalk.names Xfile may contain blank lines or comment lines (lines starting with Xa `#'). X.LP XAppletalk addresses are printed in the form X.RS X.nf X.sp .5 X\fInet.host.port\fP X X\f(CW144.1.209.2 > icsd-net.112.220 Xoffice.2 > icsd-net.112.220 Xjssmag.149.235 > icsd-net.2\fP X.sp .5 X.fi X.RE X(If the X.I /etc/atalk.names Xdoesn't exist or doesn't contain an entry for some appletalk Xhost/net number, addresses are printed in numeric form.) XIn the first example, NBP (DDP port 2) on net 144.1 node 209 Xis sending to whatever is listening on port 220 of net icsd node 112. XThe second line is the same except the full name of the source node Xis known (`office'). The third line is a send from port 235 on Xnet jssmag node 149 to broadcast on the icsd-net NBP port (note that Xthe broadcast address (255) is indicated by a net name with no host Xnumber \- for this reason it's a good idea to keep node names and Xnet names distinct in /etc/atalk.names). X.LP XNBP (name binding protocol) and ATP (Appletalk transaction protocol) Xpackets have their contents interpreted. Other protocols just dump Xthe protocol name (or number if no name is registered for the Xprotocol) and packet size. X X\fBNBP packets\fP are formatted like the following examples: X.RS X.nf X.sp .5 X\s-2\f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*" Xjssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250 Xtechpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fP\s+2 X.sp .5 X.fi X.RE XThe first line is a name lookup request for laserwriters sent by net icsd host X112 and broadcast on net jssmag. The nbp id for the lookup is 190. XThe second line shows a reply for this request (note that it has the Xsame id) from host jssmag.209 saying that it has a laserwriter Xresource named "RM1140" registered on port 250. The third line is Xanother reply to the same request saying host techpit has laserwriter X"techpit" registered on port 186. X X\fBATP packet\fP formatting is demonstrated by the following example: X.RS X.nf X.sp .5 X\s-2\f(CWjssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001 Xhelios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000 Xhelios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000 Xhelios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000 Xhelios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000 Xhelios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000 Xhelios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000 Xhelios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000 Xhelios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000 Xjssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001 Xhelios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000 Xhelios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000 Xjssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001 Xjssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fP\s+2 X.sp .5 X.fi X.RE XJssmag.209 initiates transaction id 12266 with host helios by requesting Xup to 8 packets (the `<0-7>'). The hex number at the end of the line Xis the value of the `userdata' field in the request. X.LP XHelios responds with 8 512-byte packets. The `:digit' following the Xtransaction id gives the packet sequence number in the transaction Xand the number in parens is the amount of data in the packet, Xexcluding the atp header. The `*' on packet 7 indicates that the XEOM bit was set. X.LP XJssmag.209 then requests that packets 3 & 5 be retransmitted. Helios Xresends them then jssmag.209 releases the transaction. Finally, Xjssmag.209 initiates the next request. The `*' on the request Xindicates that XO (`exactly once') was \fInot\fP set. X X.HD XIP Fragmentation X.LP XFragmented Internet datagrams are printed as X.RS X.nf X.sp .5 X\fB(frag \fIid\fB:\fIsize\fB@\fIoffset\fB+)\fR X\fB(frag \fIid\fB:\fIsize\fB@\fIoffset\fB)\fR X.sp .5 X.fi X.RE X(The first form indicates there are more fragments. The second Xindicates this is the last fragment.) X.LP X\fIId\fP is the fragment id (in hex). \fISize\fP is the fragment Xsize (in bytes) excluding the IP header. \fIOffset\fP is this Xfragment's offset (in bytes) in the original datagram. X.LP XThe fragment information is output for each fragment. The first Xfragment contains the higher level protocol header and the frag Xinfo is printed after the protocol info. Fragments Xafter the first contain no higher level protocol header and the Xfrag info is printed after the source and destination addresses. XFor example, here is part of an ftp from arizona.edu to lbl-rtsg.arpa Xover a CSNET connection that doesn't appear to handle 576 byte datagrams: X.RS X.nf X.sp .5 X\s-2\f(CWarizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1 win 4096 (frag 595a:328@0+) Xarizona > rtsg: (frag 595a:204@328) Xrtsg.1170 > arizona.ftp-data: . ack 1536 win 2560\fP\s+2 X.sp .5 X.fi X.RE XThere are a couple of things to note here: First, addresses in the X2nd line don't include port numbers. This is because the TCP Xprotocol information is all in the first fragment and we have no idea Xwhat the port or sequence numbers are when we print the later fragments. XSecond, the tcp sequence information in the first line is printed as if there Xwere 308 bytes of user data when, in fact, there are 512 bytes (308 in Xthe first frag and 204 in the second). If you are looking for holes Xin the sequence space or trying to match up acks Xwith packets, this can fool you. X.LP XA packet with the IP \fIdon't fragment\fP flag is marked with a Xtrailing \fB(DF)\fP. X.HD XTimestamps X.LP XBy default, all output lines are preceded by a timestamp. The timestamp Xis the current clock time in the form X.RS X.nf X\fIhh:mm:ss.frac\fP X.fi X.RE Xand is as accurate as the kernel's clock (e.g., \(+-10ms on a Sun-3). XThe timestamp reflects the time the kernel first saw the packet. No attempt Xis made to account for the time lag between when the Xethernet interface removed the packet from the wire and when the kernel Xserviced the `new packet' interrupt (of course, Xwith Sun's lousy clock resolution this time lag is negligible.) X.SH "SEE ALSO" Xtraffic(1C), nit(4P), bpf(4) X.SH AUTHORS XVan Jacobson (van@helios.ee.lbl.gov), XCraig Leres (leres@helios.ee.lbl.gov) and XSteven McCanne (mccanne@helios.ee.lbl.gov), all of XLawrence Berkeley Laboratory, University of California, Berkeley, CA. X.SH BUGS XThe clock resolution on most Suns is pathetic (20ms). XIf you want to use the timestamp to generate some of the important Xperformance distributions (like packet interarrival time) it's best Xto watch something that generates packets slowly (like an Arpanet Xgateway or a MicroVax running VMS). X.LP XNIT doesn't let you watch your own outbound traffic, BPF will. XWe recommend that you use the latter. X.LP X\fItcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel Xhas to have been built with the \fIpacketfilter\fP pseudo-device driver X(see X.IR packetfilter (4)). XAs of this writing, Ultrix does not let you Xwatch either your own outbound or inbound traffic. X.LP XUnder SunOS 4.1, the packet capture code (or Streams NIT) is not what Xyou'd call efficient. Don't plan on doing much with your Sun while Xyou're monitoring a busy network. X.LP XOn Sun systems prior to release 3.2, NIT is very buggy. XIf run on an old system, tcpdump may crash the machine. X.LP XSome attempt should be made to reassemble IP fragments or, at least Xto compute the right length for the higher level protocol. X.LP XName server inverse queries are not dumped correctly: The (empty) Xquestion section is printed rather than real query in the answer Xsection. Some believe that inverse queries are themselves a bug and Xprefer to fix the program generating them rather than tcpdump. X.LP XApple Ethertalk DDP packets could be dumped as easily as KIP DDP Xpackets but aren't. XEven if we were inclined to do anything to promote the use of XEthertalk (we aren't), LBL doesn't allow Ethertalk on any of its Xnetworks so we'd would have no way of testing this code. X.LP XA packet trace that crosses a daylight savings time change will give Xskewed time stamps (the time change is ignored). SHAR_EOF echo 'File argus-1.5/man/man1/tcpdump.1 is complete' && $shar_touch -am 0508141395 'argus-1.5/man/man1/tcpdump.1' && chmod 0444 'argus-1.5/man/man1/tcpdump.1' || echo 'restore of argus-1.5/man/man1/tcpdump.1 failed' shar_count="`wc -c < 'argus-1.5/man/man1/tcpdump.1'`" test 35488 -eq "$shar_count" || echo "argus-1.5/man/man1/tcpdump.1: original size 35488, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/man/man1/ra.1 ============== if test -f 'argus-1.5/man/man1/ra.1' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/man/man1/ra.1 (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/man/man1/ra.1 (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/man/man1/ra.1' && X.\" $Header: /tmp_mnt/us/wcb/research/src/argus/argus-1.5/man/man1/RCS/ra.1,v 1.4 1995/05/05 20:37:07 wcb Exp $ X.\" All rights reserved. X.\" X.\" Copyright (c) 1993, 1994 Carnegie Mellon University. X.\" All rights reserved. X.\" X.\" Permission to use, copy, modify, and distribute this software and X.\" its documentation for any purpose and without fee is hereby granted, X.\" provided that the above copyright notice appear in all copies and X.\" that both that copyright notice and this permission notice appear X.\" in supporting documentation, and that the name of CMU not be X.\" used in advertising or publicity pertaining to distribution of the X.\" software without specific, written prior permission. X.\" X.\" CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING X.\" ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL X.\" CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR X.\" ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, X.\" WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, X.\" ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS X.\" SOFTWARE. X.\" X.\" X.\" X.TH RA 1 "27 December 1994" X.SH NAME X\fBra\fP \- read \fBargus(8)\fP data. X.SH SYNOPSIS X.B ra X[ -bchmnEIMNORTWX ] X[ X.B \-C X.I access-file X] [ X.B \-d X.I debug-level X] X.br X.ti +3 X[ X.B -r X.I argus-file X] [ X.B \-w X.I output-file X] [ X.B \-P X.I port X] X.br X.ti +3 X[ X.B \-F X.I file X] [ X.B \-S X.I argus-server X] X.I expression X.SH DESCRIPTION X.IX "ra command" "" "\fLra\fP \(em argus data" X.LP X.B Ra Xreads X.BR argus Xdata from either \fIstdin\fP, an \fIargus-file\fP, or from a Xremote host running as an \fIargus-server\fP. X.B Ra Xprints out the contents of X.BR argus Xtransaction reports that match the policy described in the X\fIaccess-file\fP and/or the boolean \fIexpression\fP. X.LP X.SH OPTIONS X.TP 5 5 X.B \-b XDump the compiled transaction-matching code to standard output and stop. X.TP 5 5 X.B \-c XPrint the transaction source byte and packet \fIcount\fP, and the destination Xbyte and packet \fIcount\fP. X.TP 5 5 X.B \-C XMatch entries against a Cisco access control list that is contained Xin \fIaccess-file\fP. X.B Argus Xtransaction reports corresponding to network traffic that should Xbe blocked by the Cisco access control definition, are reported. XThe file format is that of a single Cisco extended access-list definition. X.TP 5 5 X.B \-d XPrint debug information relating to \fB-C\fP option Xtransaction reporting. When \fIdebug-level\fP is 1, X.B ra Xprints the access control list definition that would cause the Xargus datum to be rejected. With a \fIdebug-level\fP of 2, X.B ra Xalso prints the access control list definition that permits Xargus data. X.TP 5 5 X.B \-E XPrint transactions that have been established. X.TP 5 5 X.B \-F XUse \fIfile\fP as input for the filter expression. XAn additional expression given on the command line is ignored. X.TP 5 5 X.B \-h XPrint an explanation of all the arguments. X.TP 5 5 X.B \-I XPrint extended ICMP status reports. X.TP 5 5 X.B \-m XPrint ethernet or fddi (MAC) addresses. X.TP 5 5 X.B \-M XPrint transactions with multiple routes involved with the transaction. XThis condition exists when a transaction involves more than a single Xsource and destination MAC address pair. X.TP 5 5 X.B \-n XNo not translate host and service numbers to names. \fB-nn\fP will Xsuppress translation of protocol numbers, as well. X.TP 5 5 X.B \-N XPrint TCP transactions that closed normally. X.TP 5 5 X.B \-O XPrint transactions that involved the use of IP options. X.TP 5 5 X.B \-P XUse alternate \fIport\fP when accessing remote X.B argus Xserver. The default is port 561/tcp. X.TP 5 5 X.B \-r XRead from the specified \fIargus-file\fP. X.TP 5 5 X.B \-R XPrint TCP transactions that encountered a RESET indication. X.TP 5 5 X.B \-S XSpecify a remote \fIargus-server\fP. X.TP 5 5 X.B \-T XPrint transactions that reported because of a TIMED_OUT condition. X.TP 5 5 X.B \-w XWrite out matching data to \fIoutput-file\fP, in X.B argus Xfile format. An \fIoutput-file\fP of '-' directs X.B ra Xto write the '\fIargus-file\fP to stdout, allowing for "chaining" X.B ra Xcommands together. X.TP 5 5 X.B \-W XPrint TCP transactions where the source or destination window was Xset to zero at some time during the transaction. X.TP 5 5 X.B \-X XPrint TCP transactions that involved packet retransmissions. X.TP 5 5 X.B \fIexpression\fP XThis X.B tcpdump(1) Xexpression specifies which transactions will be selected. XIf no \fIexpression\fP is given, all transactions are selected. XOtherwise, only transactions for which X\fIexpression\fP is `true' will be printed. XThe syntax is identical to the expression syntax for \fBtcpdump\fP, Xhowever, the semantics for \fBtcpdump's\fP packet filter expression Xmay be slightly different when applied to transaction selection. XIn particular, transaction selection based on the source or Xdestination host may not always give the expected results, Xsince argus cannot guarantee correct determination of the Xsource host from the available datagrams (especially for non-TCP Xprotocols with dropped or missing datagrams). XFor a complete \fIexpression\fP format description, please refer to the X.B tcpdump(1) Xman page. X.br X.SH EXAMPLES X.LP XTo report all TCP transactions from and to host wave, Xreading transaction data from \fIargus-file\fP argus.data: X.RS X.nf X\fBra -r argus.data tcp and host wave\fP X.fi X.RE X.LP XCreate the \fIargus-file\fP icmp.log with all ICMP events involving Xthe host nimrod, using data from \fIargus-file\fP, but reading the Xtransaction data from \fIstdin\fP: X.RS X.nf X\fBcat \fIargus-file\fP | ra -L icmp.log icmp and host nimrod\fP X.fi X.RE X.LP XTo review, in real-time, all the transactions to the network 198.2.3.0, Xthat violate the Cisco access control list specified in \fIaccess-list\fP, Xusing the remote X.B argus Xserver \fIargus-host\fP. X.RS X.nf X\fBra -S \fIargus-host\fP -C \fIaccess-list\fP dst net 198.2.3.0\fP X X.fi X.RE X.br X.SH OUTPUT FORMAT X.LP XThe following is a brief description of the output format of X.B ra Xwhich reports transaction data in various levels of detail. XThe general format is: X.RE X.RS X.nf X.sp .1 X\fI time [mac.addr] proto host dir host [count] status\fP X.sp .1 X.fi X.RE X.TP 4 4 X.BI time X\fItime\fP is printed as, day of the week, month/day and hr:min:sec, using X.B localtime(3V). X.B Argus Xtransaction data contains both starting and ending transaction times, Xwith precision to the microsecond. However, X.B ra Xprints out only one of these dates depending on the status of the X.B argus Xserver. When the X.B argus Xserver is running in default mode, X.B ra Xreports the transaction starting time. XWhen the server is in DETAIL mode, the transaction ending time is reported. X.TP 5 5 X.BI mac.addr X\fImac.addr\fP Xis an optional field, specified using the X.B -m Xflag. \fImac.addr\fP represents the first source and destination XMAC addresses seen for a particular transaction. These addresses are Xpaired with the \fIhost.port\fP fields, so the direction indicator is Xneeded to distinguish between the source and destination MAC addresses. X.TP 5 5 X.BI proto\ [options\ protocol] XThe \fIproto\fP indicator consists of two fields. The first is Xprotocol specific and the designations are: X.nf X.sp .5 X * - TCP packet retransmissions X M - Multiple physical layer paths X S - IP option Strict Source Route X L - IP option Loose Source Route X T - IP option Time Stamp X + - IP option Security X R - IP option Record Route X N - IP option SATNET X ? - multiple IP options set X.fi X XThe second field indicates the upper protocol used in the transaction. XThis field will contain the first 4 characters of the official Xname for the protocol used, as defined in RFC-1700. Use of the X.B -n Xoption, twice (-nn), will cause the actual protocol number to be Xdisplayed. X.TP 4 4 X.BI host XThe \fIhost\fP field is protocol dependent, and for all protocols Xwill contain the IP address/name. For TCP and UDP, the field will Xalso contain the port number/name, separated by a period. X.TP 3 3 X.BI dir XThe \fIdir\fP field will have the direction of the transaction, Xas can be best determined from the datum, and is used to indicate Xwhich hosts are transmitting. For TCP, the dir field indicates Xthe actual source of the TCP connection, and the center character Xindicating the state of the transaction. X.RS X.nf X.sp .5 X - - transaction was NORMAL X | - transaction was RESET X o - transaction TIMED OUT. X.fi X.RE X.TP 5 5 X.BI count X\fIcount\fP is an optional field, specified using the X.B -c Xoption. There are 4 fields that are produced. The Xfirst 2 are the packet counts and the last 2 are the byte counts Xfor the specific transaction. The fields are paired with the Xprevious host fields, and represent the packets transmitted by Xthe respective host. X.TP 5 5 X.BI status XThe \fIstatus\fP field indicates the principle status for the transaction Xreport, and is protocol dependent. For all the protocols, except ICMP, Xthis field reports on the basic state of a transaction. X.TP 5 5 X.in .25i X.BI \REQ\ INT\ \ (requested\ \ initial) XThis indicates that this is the \fIinitial\fP status report for a Xtransaction and is seen only when the \fIargus-server\fP is in DETAIL Xmode. For TCP connections this is \fBREQ\fP, indicating that a Xconnection is being requested. For the connectionless protocols, Xsuch as UDP, this is \fBINT\fP. X.TP 5 5 X.in .25i X.BI \ACC\ \ (accepted) XThis indicates that a request/response condition has occurred, Xand that a transaction has been detected between two hosts. XFor TCP, this indicates that a connection request has been Xanswered, and the connection will be accepted. This is only seen Xwhen the \fIargus-server\fP is in DETAIL mode. For the Xconnectionless protocols, this state indicates that there Xhas been a single packet exchange between two hosts, and could Xqualify as a request/response transaction. X.TP 5 5 X.in .25i X.BI \EST\ CON\ \ (established\ \ connected) XThis record type indicates that the reported transaction is active, and Xhas been established or is continuing. This should be interpreted as a Xstatus report of a currently active transaction. XFor TCP, the EST status is only seen in DETAIL mode, and indicates Xthat the three way handshake has been completed for a connection. X.TP 5 5 X.in .25i X.BI \CLO\ \ (closed) XTCP specific, this record type indicates that the TCP connection has Xclosed normally. X.TP 5 5 X.in .25i X.BI \TIM\ \ (timeout) XActivity was not seen relating to this transaction, during the X.B argus Xserver's timeout period for this protocol. This status is seen Xonly when there were packets recorded since the last report for Xthis transaction. X XFor the ICMP protocol, the \fIstatus\fP field displays various Xaspects of the ICMP data. With the \fB-I\fP option, extended ICMP protocol Xdata information is given. ICMP status can have the values (\fB-I\fP option info): X.nf X.in 10 X X\fBECO\fP echo request X\fBECR\fP echo reply X\fBURF\fP unreachable need fragmentation X\fBURH\fP unreachable host (\fIhostaddr\fP) X\fBURN\fP unreachable network (\fInetaddr\fP) X\fBURO\fP unreachable protocol (\fIprotonum\fP) X\fBURP\fP unreachable port (\fIprotonum portnum\fP) X\fBURS\fP unreachable source failed X\fBSRC\fP source quench X\fBRED\fP redirect X\fBTIM\fP time exceeded X\fBPAR\fP parameter problem X\fBTST\fP timestamp request X\fBTSR\fP timestamp reply X\fBIRQ\fP information request X\fBIRR\fP information reply X\fBMAS\fP mask request X\fBMSR\fP mask reply (\fImaskaddr\fP) X X.fi X.LP X.br X.SH OUTPUT EXAMPLES X XThese examples show typical \fBra\fP output, and demonstrates a Xnumber of variations seen in \fBargus\fP data. This \fBra\fP Xoutput was generated using the \fB-n\fP option to suppress Xnumber translation. X X.ft B X.cs B 30 4 X.ss 4 X.nf XThu 12/29 06:40:32 S tcp 132.3.31.15.6439 -> 12.23.14.77.23 CLO X.fi X.ft R X.in +6n X.ll -1n XThis is a normal tcp transaction to the telnet port on host 12.23.14.77. XThe IP Option strict source route was seen. X X.in -6n X.ll +1n X.ft B X.nf XThu 12/29 06:40:32 tcp 132.3.31.15.6200 <|> 12.23.14.77.25 RST X.fi X.ft R X.in +6n X.ll -1n XThis tcp transaction from the smtp port of host 12.23.14.77 Xwas \fBRESET\fP, suggesting that the transaction was denied. X X.in -6n X.ll +1n X.ft B X.nf XThu 12/29 03:39:05 M igmp 12.88.14.10 <-> 128.2.2.10 CON X.fi X.ft R X.in +6n X.ll -1n XThis is an igmp transaction status report, usually seen with MBONE traffic. XThere was more than one source and destination MAC address pair used to Xsupport the transaction, suggesting a possible routing loop. X X.in -6n X.ll +1n X.ft B X.nf XThu 12/29 06:40:05 * tcp 12.23.14.23.1043 <-> 12.23.14.27.6000 TIM X.fi X.ft R X.fi X.in +6n X.ll -1n XThis is an X-windows transaction, that has \fBTIMEDOUT\fP. Packets Xwere retransmitted during the connection. X X.in -6n X.ll +1n X.ft B X.nf XThu 12/29 07:42:09 udp 12.9.1.115.2262 -> 28.12.141.6.139 INT X.fi X.ft R X.in +6n X.ll -1n XThis is an initial netbios UDP transaction status report, indicating Xthat this is the first datagram encountered for this transaction. XThis status can only be seen when the \fIargus-server\fP is in \fBdetail\fP Xmode. X X.in -6n X.ll +1n X.ft B X.nf XThu 12/29 06:42:09 icmp 12.9.1.115 <- 12.68.5.127 ECO XThu 12/29 06:42:09 icmp 12.9.1.115 -> 12.68.5.127 ECR X.fi X.ft R X.in +6n X.ll -1n XThis example represents a "ping" of host 12.9.1.115, and its response. X.in -6n X.ll +1n X X.ss 12 X.cs B X.ft R XThis next example shows the \fBra\fP output of a complete TCP transaction, Xwhile reading from a remote \fIargus-server\fP in \fBdetail\fP mode. XThe '*' in the CLO report indicates that at least one TCP packet was Xretransmitted during the transaction. X.nf X.ft B X.cs B 30 4 X.ss 4 X X% ra -S \fIargus-server\fP tcp and host sei.cmu.edu and port smtp Xra: Trying argus-server port 561 Xra: connected Argus Version 1.4 detail mode XSat 12/03 15:29:39 tcp i.sei.cmu.e.1543 -> sei.cmu.edu.smtp REQ XSat 12/03 15:29:39 tcp i.sei.cmu.e.1543 <- sei.cmu.edu.smtp ACC XSat 12/03 15:29:39 tcp i.sei.cmu.e.1543 <-> sei.cmu.edu.smtp EST XSat 12/03 15:29:39 * tcp i.sei.cmu.e.1543 -> sei.cmu.edu.smtp CLO X.ss 12 X.cs B X.ft X.fi X.br X.SH AUTHORS X.nf XCarter Bullard (wcb@fore.com). XChas DiFatta (cd@sei.cmu.edu). XSpecial thanks to Mark Poepping (poepping@sei.cmu.edu). X.fi X.SH SEE ALSO X.BR tcpdump (1), X.BR argus (8) X.LP XPostel, Jon, X.IR "Internet Protocol", X.SM RFC X791, XNetwork Information Center, X.SM SRI XInternational, Menlo Park, Calif., XMay 1981. X.LP XPostel, Jon, X.IR "Internet Control Message Protocol" , X.SM RFC X792, XNetwork Information Center, SRI International, Menlo Park, Calif., XMay 1981. X.LP XPostel, Jon, X.IR "Transmission Control Protocol" , X.SM RFC X793, XNetwork Information Center, SRI International, Menlo Park, Calif., XMay 1981. X.LP XPostel, Jon, X.IR "User Datagram Protocol" , X.SM RFC X768, XNetwork Information Center, SRI International, Menlo Park, Calif., XMay 1980. X.LP XMcCanne, Steven, and Van Jacobson, X.IR "The BSD Packet Filter: A New Architecture for User-level Capture" , XLawrwnce Berkeley Laboratory, One Cyclotron Road, Berkeley, Calif., 94720, XDecember 1992. SHAR_EOF $shar_touch -am 0508141395 'argus-1.5/man/man1/ra.1' && chmod 0444 'argus-1.5/man/man1/ra.1' || echo 'restore of argus-1.5/man/man1/ra.1 failed' shar_count="`wc -c < 'argus-1.5/man/man1/ra.1'`" test 15083 -eq "$shar_count" || echo "argus-1.5/man/man1/ra.1: original size 15083, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/COPYRIGHT ============== if test -f 'argus-1.5/COPYRIGHT' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/COPYRIGHT (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/COPYRIGHT (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/COPYRIGHT' && X XCopyrights and Credits. X XArgus-1.5 was developed at Carnegie Mellon University, is Xa derivative work of tcpdump-1.x and uses technology developed Xfor libpcap-0.0, tcpdump-3.0, and tcp_wrappers-6.3. X XWe would like to thank the principle authors of these packages, XSteve McCanne (mccanne@ee.lbl.gov), Craig Leres (leres@ee.lbl.gov), XVan Jacobson (van@ee.lbl.gov) and Wietse Venema (wietse@wzv.win.tue.nl) Xfor their exceptional work, without which, Argus would not be possible. X XAlong with the author contact information, we have included the Xcopyrights that apply to the various components of Argus. Please Xrefer to the individual packages, for specific use and redistribution Xlimitations that may apply. X X X XArgus 1.5 XCarnegie Mellon University Xargus@sei.cmu.edu X - Carter Bullard wcb@sei.cmu.edu X Chas DiFatta cd@sei.cmu.edu X X/* X * Copyright (c) 1993, 1994, 1995 Carnegie Mellon University. X * All rights reserved. X * X * Permission to use, copy, modify, and distribute this software and X * its documentation for any purpose and without fee is hereby granted, X * provided that the above copyright notice appear in all copies and X * that both that copyright notice and this permission notice appear X * in supporting documentation, and that the name of CMU not be X * used in advertising or publicity pertaining to distribution of the X * software without specific, written prior permission. X * X * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING X * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL X * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR X * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, X * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, X * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS X * SOFTWARE. X * X */ X X XLIBPCAP 0.0 XLawrence Berkeley Laboratory XNetwork Research Group Xlibpcap@ee.lbl.gov Xftp://ftp.ee.lbl.gov/libpcap-*.tar.Z X - Steve McCanne (mccanne@ee.lbl.gov) X Craig Leres (leres@ee.lbl.gov) X Van Jacobson (van@ee.lbl.gov) X XTCPDUMP 3.0 XLawrence Berkeley Laboratory XNetwork Research Group Xtcpdump@ee.lbl.gov Xftp://ftp.ee.lbl.gov/tcpdump-*.tar.Z X - Steve McCanne (mccanne@ee.lbl.gov) X Craig Leres (leres@ee.lbl.gov) X Van Jacobson (van@ee.lbl.gov) X X X/* X * Copyright (c) 1990 The Regents of the University of California. X * All rights reserved. X * X * Redistribution and use in source and binary forms, with or without X * modification, are permitted provided that: (1) source code distributions X * retain the above copyright notice and this paragraph in its entirety, (2) X * distributions including binary code include the above copyright notice and X * this paragraph in its entirety in the documentation or other materials X * provided with the distribution, and (3) all advertising materials mentioning X * features or use of this software display the following acknowledgement: X * ``This product includes software developed by the University of California, X * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of X * the University nor the names of its contributors may be used to endorse X * or promote products derived from this software without specific prior X * written permission. X * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED X * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF X * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. X */ X X X Xtcp_wrappers-6.3 Xftp://ftp.win.tue.nl/pub/security Xftp://info.cert.org/pub/tools XWietse Venema (wietse@wzv.win.tue.nl) XDepartment of Mathematics and Computing Science XEindhoven University of Technology XP.O. Box 513 X5600 MB Eindhoven XThe Netherlands X XNo copyright available. X SHAR_EOF $shar_touch -am 0508141395 'argus-1.5/COPYRIGHT' && chmod 0444 'argus-1.5/COPYRIGHT' || echo 'restore of argus-1.5/COPYRIGHT failed' shar_count="`wc -c < 'argus-1.5/COPYRIGHT'`" test 3751 -eq "$shar_count" || echo "argus-1.5/COPYRIGHT: original size 3751, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/MANIFEST ============== if test -f 'argus-1.5/MANIFEST' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/MANIFEST (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/MANIFEST (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/MANIFEST' && X X X/* X * Copyright (c) 1993, 1994, 1995 Carnegie Mellon University. X * All rights reserved. X * X * Permission to use, copy, modify, and distribute this software and X * its documentation for any purpose and without fee is hereby granted, X * provided that the above copyright notice appear in all copies and X * that both that copyright notice and this permission notice appear X * in supporting documentation, and that the name of CMU not be X * used in advertising or publicity pertaining to distribution of the X * software without specific, written prior permission. X * X * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING X * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL X * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR X * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, X * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, X * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS X * SOFTWARE. X * X */ X XArgus distribution. Xtotal 56 X-r--r--r-- 1 argus software 3751 Apr 25 12:04 COPYRIGHT X-r--r--r-- 1 argus software 6522 May 8 16:48 INSTALL X-r--r--r-- 1 argus software 5768 May 8 14:34 MANIFEST X-r--r--r-- 1 argus software 4112 Apr 25 15:25 Makefile.in X-r--r--r-- 1 argus software 17191 May 8 16:51 README Xdrwxrwxr-x 2 argus software 512 May 8 14:46 bin Xdrwxrwxr-x 3 argus software 512 May 8 14:46 clients Xdrwxrwxr-x 3 argus software 512 May 8 14:46 common X-r-xr-xr-x 1 argus software 5139 Apr 28 11:46 configure Xdrwxr-xr-x 3 argus software 512 May 8 15:11 contrib Xdrwxrwxr-x 3 argus software 1024 Apr 19 15:16 include Xdrwxrwxr-x 2 argus software 512 May 8 14:46 lib Xdrwxrwxr-x 5 argus software 512 Feb 8 15:30 man Xdrwxrwxr-x 3 argus software 1024 May 8 14:46 server X Xbin: Xtotal 5 X-r-xr-xr-x 1 argus software 2115 Dec 14 15:36 mkdep X Xclients: Xtotal 59 X-r--r--r-- 1 argus software 3955 Apr 20 17:19 Makefile.in X-r--r--r-- 1 argus software 2992 Apr 25 13:15 README X-r--r--r-- 1 argus software 1744 Apr 19 15:41 policy.conf X-r--r--r-- 1 argus software 255 Dec 14 15:37 policy.test X-r--r--r-- 1 argus software 22782 Apr 25 17:25 ra.c X-r--r--r-- 1 argus software 20220 Apr 20 17:38 services.c X-r--r--r-- 1 argus software 3047 Feb 8 16:02 template.c X Xcommon: Xtotal 104 X-r--r--r-- 1 argus software 3841 Feb 8 16:03 Makefile.in X-r--r--r-- 1 argus software 1682 Apr 25 13:43 README X-r--r--r-- 1 argus software 15570 Apr 24 15:35 addrtoname.c X-r--r--r-- 1 argus software 13053 Feb 8 16:04 argus_filter.c X-r--r--r-- 1 argus software 28559 Apr 24 16:11 argus_parse.c X-r--r--r-- 1 argus software 2131 Feb 8 16:04 bpf_dump.c X-r--r--r-- 1 argus software 28245 Feb 8 16:04 gencode.c X-r--r--r-- 1 argus software 6309 Feb 8 16:05 util.c X Xcontrib: Xtotal 23 X-r-xr-xr-x 1 argus software 73 May 8 14:08 CA-95:01 X-r-xr-xr-x 1 argus software 5688 May 8 15:11 CA-95:01.scan.sh X-r--r--r-- 1 argus software 3195 May 8 15:03 README X-r--r--r-- 1 argus software 3218 May 8 14:52 configs X-r-xr-xr-x 1 argus software 1636 May 7 17:25 dailyscan.sh X-r--r--r-- 1 argus software 2826 May 8 15:02 ra.conf X Xinclude: Xtotal 83 X-r--r--r-- 1 argus software 1678 Feb 8 16:05 addrtoname.h X-r--r--r-- 1 argus software 1170 Feb 8 16:06 adjacency.h X-r--r--r-- 1 argus software 2883 Feb 8 16:06 argus.h X-r--r--r-- 1 argus software 2478 Feb 8 16:06 argus_client.h X-r--r--r-- 1 argus software 3210 Feb 8 16:07 argus_parse.h X-r--r--r-- 1 argus software 2168 Feb 8 16:07 argus_util.h X-r--r--r-- 1 argus software 1162 Feb 8 16:07 compat.h X-r--r--r-- 1 argus software 3235 Apr 11 14:04 cons_def.h X-r--r--r-- 1 argus software 0 Feb 8 16:07 cons_ether.h X-r--r--r-- 1 argus software 1141 Feb 8 16:07 cons_icmp.h X-r--r--r-- 1 argus software 1511 Feb 8 16:07 cons_ip.h X-r--r--r-- 1 argus software 3395 Apr 19 15:16 cons_out.h X-r--r--r-- 1 argus software 2008 Feb 8 16:08 cons_tcp.h X-r--r--r-- 1 argus software 1472 Feb 8 16:08 cons_udp.h X-r--r--r-- 1 argus software 1106 Feb 8 16:08 cons_util.h X-r--r--r-- 1 argus software 1465 Feb 8 16:08 etherent.h X-r--r--r-- 1 argus software 14240 Feb 8 16:08 etherproto.h X-r--r--r-- 1 argus software 2024 Feb 8 16:08 extract.h X-r--r--r-- 1 argus software 2937 Feb 8 16:09 fddi.h X-r--r--r-- 1 argus software 1465 Feb 8 16:09 inet.h X-r--r--r-- 1 argus software 3969 Feb 8 16:09 interface.h X-r--r--r-- 1 argus software 3207 Feb 8 16:09 llc.h X-r--r--r-- 1 argus software 1552 Feb 8 16:09 md.h X-r--r--r-- 1 argus software 1832 Feb 8 16:09 nametoaddr.h X-r--r--r-- 1 argus software 2467 Feb 8 16:09 os.h X-r--r--r-- 1 argus software 2176 Feb 8 16:10 policy.h X-r--r--r-- 1 argus software 1170 Feb 8 16:10 services.h X Xlib: X Xman: Xtotal 5 Xdrwxrwxr-x 3 argus software 512 May 5 16:36 man1 Xdrwxrwxr-x 3 argus software 512 Feb 8 15:55 man5 Xdrwxrwxr-x 3 argus software 512 Apr 25 18:27 man8 X Xman/man1: Xtotal 63 X-r--r--r-- 1 argus software 15083 May 5 16:36 ra.1 X-r--r--r-- 1 argus software 9968 Apr 20 17:41 services.1 X-r--r--r-- 1 argus software 35488 May 5 16:36 tcpdump.1 X Xman/man5: Xtotal 7 X-r--r--r-- 1 argus software 3442 Feb 8 15:55 argus.5 X Xman/man8: Xtotal 10 X-r--r--r-- 1 argus software 7164 Apr 25 18:27 argus.8 X Xserver: Xtotal 104 X-r--r--r-- 1 argus software 4556 Feb 8 16:11 Makefile.in X-r--r--r-- 1 argus software 2036 Apr 25 13:20 README X-r--r--r-- 1 argus software 5891 Apr 25 17:38 argus.c X-r--r--r-- 1 argus software 3055 Feb 8 16:11 argus_cons.c X-r--r--r-- 1 argus software 14500 Apr 25 18:42 argus_util.c X-r--r--r-- 1 argus software 2189 Feb 8 16:12 bpf_dump.c X-r--r--r-- 1 argus software 2321 Feb 8 16:12 cons_ether.c X-r--r--r-- 1 argus software 6285 Feb 8 16:12 cons_fddi.c X-r--r--r-- 1 argus software 4800 Feb 8 16:12 cons_icmp.c X-r--r--r-- 1 argus software 12399 Feb 8 16:12 cons_ip.c X-r--r--r-- 1 argus software 5786 Apr 19 15:29 cons_sockets.c X-r--r--r-- 1 argus software 16416 Feb 8 16:12 cons_tcp.c X-r--r--r-- 1 argus software 10712 Apr 25 17:51 cons_udp.c X-r--r--r-- 1 argus software 215 Apr 25 18:13 services X-r--r--r-- 1 argus software 3376 Feb 8 16:12 tcp_wrapper.c SHAR_EOF $shar_touch -am 0508141395 'argus-1.5/MANIFEST' && chmod 0444 'argus-1.5/MANIFEST' || echo 'restore of argus-1.5/MANIFEST failed' shar_count="`wc -c < 'argus-1.5/MANIFEST'`" test 6732 -eq "$shar_count" || echo "argus-1.5/MANIFEST: original size 6732, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/contrib/CA-95:01 ============== if test ! -d 'argus-1.5/contrib'; then echo 'x - creating directory argus-1.5/contrib' mkdir 'argus-1.5/contrib' fi if test -f 'argus-1.5/contrib/CA-95:01' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/contrib/CA-95:01 (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/contrib/CA-95:01 (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/contrib/CA-95:01' && Xtcp and (ether src INTERNET-FIREWALL-GATE-ETHADDR and src net INTERNAL ) SHAR_EOF $shar_touch -am 0508141395 'argus-1.5/contrib/CA-95:01' && chmod 0555 'argus-1.5/contrib/CA-95:01' || echo 'restore of argus-1.5/contrib/CA-95:01 failed' shar_count="`wc -c < 'argus-1.5/contrib/CA-95:01'`" test 73 -eq "$shar_count" || echo "argus-1.5/contrib/CA-95:01: original size 73, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/contrib/dailyscan.sh ============== if test -f 'argus-1.5/contrib/dailyscan.sh' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/contrib/dailyscan.sh (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/contrib/dailyscan.sh (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/contrib/dailyscan.sh' && X#!/bin/csh -f X# X# This script is used to report violations in the policy of a firewall gateway X# as well as report internal network services. This script is run daily at 1am. X# X# file - name of the Argus file saved from a cron script daily X# dir - archive directory the file is saved to X# free_space - free space on partition X# argus_admin - users to be notified via mail X# policy_filter - Argus policy filter X# my_net - network name in /etc/networks or in decimal form X# Xset file=monitor.`date +%m.%d.%H`:00 Xset dir=/usr/argus/archive Xset free_space=`df /archive | tail -1 | awk '{ print $4 }'` Xset argus_admin=dante Xset spoof_filter=filter Xset spoof_output=spoof.out Xset my_net=192.0.0 X# Xcd $dir X# X# notify if data should be archived to tape X# Xif ( ${free_space} <= 20000 ) then X echo `hostname` has only ${free_space} blocks left in ${dir} \ X | /usr/ucb/mail -s "SPACE-PROBLEM" ${argus_admin} Xendif X# X# notify if data is file does not exist or is zero length X# Xif ( ! -e ${dir}/${file} | -z ${dir}/${file} ) then X echo "Argus data file empty or deleted" | /usr/ucb/mail -s "ARGUS-PROBLEM"\ X ${argus_admin} X exit(1) Xendif X# X# Run ra and report any Argus transactions that violate the filter file X# named in the variable policy_filter. Also, report all internal network X# services. X# X/usr/argus/bin/ra -C ./ra.conf -nc -r $dir/$file proto not igmp and \ X dst net ${my_net} | /usr/ucb/mail -s "ARGUS-DATA" ${argus_admin} X/usr/argus/bin/services -r $dir/$file dst net ${my_net} | \ X /usr/ucb/mail -s "ARGUS-SERVICES-DATA" ${argus_admin} X# Xcompress -f $dir/$file Xchmod 444 $dir/$file.Z SHAR_EOF $shar_touch -am 0508141395 'argus-1.5/contrib/dailyscan.sh' && chmod 0555 'argus-1.5/contrib/dailyscan.sh' || echo 'restore of argus-1.5/contrib/dailyscan.sh failed' shar_count="`wc -c < 'argus-1.5/contrib/dailyscan.sh'`" test 1636 -eq "$shar_count" || echo "argus-1.5/contrib/dailyscan.sh: original size 1636, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/contrib/ra.conf ============== if test -f 'argus-1.5/contrib/ra.conf' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/contrib/ra.conf (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/contrib/ra.conf (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/contrib/ra.conf' && X; X; This is a modified filter portion of a Cisco configuration file, using a X; fictitious internal network number is 192.0.0. The network topology is as X; follows X; X; | X; ----------- X; | Gateway | X; ----------- X; Firewall Network | 10.1.1.1 X; |--------------------------------------------| X; | 10.1.1.2 | 0.0.0.0 X; ----------- ----------- X; | Gateway | | Argus | X; | | | Host | X; ----------- ----------- X; | 192.0.0.1 | 192.0.0.2 X; |--------------------------------------------| X; Internal Network X; X; X; Since the Argus data is captured on the external firewall network, violations X; are reported even though they are filtered successfully by the gateway. This X; proves as a good first alert mechanism for external attempts to violate the X; firewall policy. X; X; No source routeing through our gateway. X; Xno ip source-route X; X; Pass all icmp but remember, we won't see icmp scans (i.e. ping). This is X; done because icmp events can generate lots of data. X; Xaccess-list 102 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 X; X; Udp stuff: Permit domain, ntp, talk, and ntalk, deny all else. X; Xaccess-list 102 permit udp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 eq 53 Xaccess-list 102 permit udp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 eq 123 Xaccess-list 102 permit udp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 eq 517 Xaccess-list 102 permit udp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 eq 518 Xaccess-list 102 deny udp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 X; X; Tcp stuff: X; permit telnet to our "one time password" telnet host X; permit smtp to our mail host X; permit finger to our finger host X; permit nntp to our news host X; deny less then port 1023 X; deny X X; Xaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 192.0.0.23 0.0.0.255 eq 23 Xaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 192.0.0.25 0.0.0.255 eq 25 Xaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 192.0.0.79 0.0.0.255 eq 79 Xaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 128.237.1.8 0.0.0.0 eq 119 Xaccess-list 102 deny tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 lt 1023 Xaccess-list 102 deny tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 eq 2000 Xaccess-list 102 deny tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 eq 6000 Xaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 lt 6000 Xaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 gt 6100 Xaccess-list 102 deny tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 gt 6000 Xaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 SHAR_EOF $shar_touch -am 0508141395 'argus-1.5/contrib/ra.conf' && chmod 0444 'argus-1.5/contrib/ra.conf' || echo 'restore of argus-1.5/contrib/ra.conf failed' shar_count="`wc -c < 'argus-1.5/contrib/ra.conf'`" test 2826 -eq "$shar_count" || echo "argus-1.5/contrib/ra.conf: original size 2826, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/contrib/README ============== if test -f 'argus-1.5/contrib/README' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/contrib/README (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/contrib/README (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/contrib/README' && X X/* X * Copyright (c) 1995 Carnegie Mellon University. X * All rights reserved. X * X * Permission to use, copy, modify, and distribute this software and X * its documentation for any purpose and without fee is hereby granted, X * provided that the above copyright notice appear in all copies and X * that both that copyright notice and this permission notice appear X * in supporting documentation, and that the name of CMU not be X * used in advertising or publicity pertaining to distribution of the X * software without specific, written prior permission. X * X * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING X * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL X * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR X * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, X * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, X * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS X * SOFTWARE. X * X */ X XArgus contrib directory X XThis directory includes shell scripts and configuration files that Xperform simple network administrative tasks, and are offered as a Xdemonstration of how Argus data can be used in your network management. X XThey are demonstrations of: X X 1. Network activity summary report generation. X 2. Specific network intrusion attack detection. X X XIf you would like to make contributions to this directory and have Xthem included in possible future releases, please send your candidates Xto argus@sei.cmu.edu. X XMANIFEST X./contrib Xtotal 22 X-rwxr-xr-x 1 argus software 73 May 8 14:08 CA-95:01 X-rwxr-xr-x 1 argus software 5686 May 8 13:47 CA-95:01.scan.sh X-rw-r--r-- 1 argus software 3195 May 8 15:02 README X-rw-r--r-- 1 argus software 3218 May 8 12:58 configs X-rwxr-xr-x 1 argus software 1636 May 7 17:25 dailyscan.sh X-rw-r--r-- 1 argus software 2747 May 8 13:01 ra.conf X X XCA-95:01 - a one line Argus filter that will aid in detecting if X there has been an IP spoof attack of the nature X described in CERT advisory CA-95:01. X XCA-95:01.scan.sh - X An example of a shell to examine Argus data, looking X for a specific type of network activity. In this X example, the scan uses the file, 'CA-95:01', which X tests for the occurrence of an IP spoofing attack of X the form described in CERT advisory CA-95:01. X This is included as a demonstration of how Argus data X can be used in local intrusion detection, and is offered X as an exercise. X Xconfigs - A description of 2 Argus deployment strategies. X Xdailyscan.sh - An example of a shell script that can be used X to examine Argus data. A shell of this type might X be run as a daily cron job and used to generate X daily network activity reports. X Xra.conf - A sample firewall policy filter file used by dailyscan.sh. X This is an example firewall policy. The actual policy X used should be the policy installed your actual router. SHAR_EOF $shar_touch -am 0508141395 'argus-1.5/contrib/README' && chmod 0444 'argus-1.5/contrib/README' || echo 'restore of argus-1.5/contrib/README failed' shar_count="`wc -c < 'argus-1.5/contrib/README'`" test 3195 -eq "$shar_count" || echo "argus-1.5/contrib/README: original size 3195, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/contrib/configs ============== if test -f 'argus-1.5/contrib/configs' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/contrib/configs (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/contrib/configs (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/contrib/configs' && X X X XExample Argus Deployment and Functional Configuration X X XWe describe two working Argus configurations. All the IP network addresses Xhave been changed to protect the innocent. X XThe first and simplest configuration, the Argus daemon is run from a Xhost with a single network interface, and logs data directly to disk. XWith this configuration, one may also connect directly to the auditing Xhost and collect data remotely in real time (see ra(1) using the -S option). XSteps should be taken to harden this host with respect to security to Xinsure the integrity of the Argus data. This is a typical configuration Xfor auditing on trusted internal networks segments. X XNote: due to a bug on Sun OS 4.X and the SNIT interface, no datagrams Xsent from the auditing host will not be detected. In order to avoid Xconfusion, in this configuration we recommend that you filter packets Xinvolving the Argus host on the argus command line. X XThe second example configuration can be used to verify a network Xfirewall service policy for intrusion detection. In this configuration, Xthe auditing host is stripped of all non-essential network services, Xhardened with respect to security and an given an additional network Xinterface. This extra interface is attached directly to the firewall Xnetwork and assigned the IP address of 0.0.0.0, so that it cannot be Xaccessed by any external hosts located outside the firewall. Also, Xthe auditing host does not have a default route, and has IP forwarding Xturned off in the kernel. The following is an example of this Xconfiguration: X X | X ----------- X | Internet| X | Gateway | X ----------- X Firewall Network | 10.1.1.1 X |--------------------------------------------| X | 10.1.1.2 | 0.0.0.0 X ----------- ----------- X | Gateway | | Argus | X | | | Host | X ----------- ----------- X | 192.0.0.1 | 192.0.0.2 X |--------------------------------------------| X Internal Network X XNote: since the primary interface of the Argus host (192.0.0.2) is attached Xdirectly to the internal network, we restrict the Argus host to routing only Xto the internal network for security purposes. X XIn both configurations, the Argus daemon is started from rc.local, i.e., X X if [ -f /usr/argus/bin/argus_snit ]; then X /usr/argus/bin/argus_snit -w /usr/argus/argus.file & X echo -n ' Argus' X fi X XWhen the Argus daemon reports a network transaction or an event, it opens Xthe file, writes the data, then closes. Hence since the Unix mv(1) Xcommand is autonomous, the Argus file can simply be moved to an archive Xdirectory for archival purposes, and the original file will continue to be Xcreated without dropping data. I.e. this is an example of a script run from Xcron(8) to move the file to an archive directory hourly, X X mv /usr/argus/argus.file /usr/argus/archive/argus.`date +%m.%d.%H`:00 X SHAR_EOF $shar_touch -am 0508141395 'argus-1.5/contrib/configs' && chmod 0444 'argus-1.5/contrib/configs' || echo 'restore of argus-1.5/contrib/configs failed' shar_count="`wc -c < 'argus-1.5/contrib/configs'`" test 3218 -eq "$shar_count" || echo "argus-1.5/contrib/configs: original size 3218, current size $shar_count" rm -f _sharnew.tmp fi # ============= argus-1.5/contrib/CA-95:01.scan.sh ============== if test -f 'argus-1.5/contrib/CA-95:01.scan.sh' && test X"$1" != X"-c"; then echo 'x - skipping argus-1.5/contrib/CA-95:01.scan.sh (file already exists)' rm -f _sharnew.tmp else > _sharnew.tmp echo 'x - extracting argus-1.5/contrib/CA-95:01.scan.sh (text)' sed 's/^X//' << 'SHAR_EOF' > 'argus-1.5/contrib/CA-95:01.scan.sh' && X#!/bin/csh -f X# X# This example involves advanced concepts in TCP networking. X# We make this available to the experienced network manager and network X# security manager. Please do not try this at home. X# X# This script can be used to detect possible IP spoof attacks from an X# Argus data FILE. WARNING!!! This simple filter can generate "false X# positive" reports, but should be effective in detecting attempts to X# develop TCP connection with spoofed IP source addresses. X# You may have to discriminate potential "false positives" from actual X# IP spoof attacks using this technique. X# X# The type of attack that is tested is the simple attack strategy X# described in CERT advisory CA-95:01 "IP spoofing attacks and X# hijacked terminal connections". This attack strategy is characterized X# as a source address forgery attack, with TCP sequence number discovery. X# This combination allows for source IP address spoofing of TCP X# connections. X# X# The script works by running ra(1), with the appropriate command line X# arguments for selecting potentially suspect network transactions. X# X# The filter that ra(1) uses, matches for TCP Argus status records that X# use the external router's as its source MAC address, but have an X# internal IP address as the source IP network address. This is a X# reliable filter that should detect all occurrences of the simple type X# of IP spoof attack described in CA-95:01. X# X# A suspect attack scenario will involve at least 2 Argus records. One X# of the records will be a TIMED_OUT Multiroute TCP connection. X# This status record is the transaction that is used to probe the X# host to discover a working sequence number for the "spoof" connection. X# The second will be a CLOSED, RESET, or TIMED_OUT Multiroute TCP X# connection, that will represent the actual spoofed connection. X# X# With such a simple detection scheme, you should anticipate that there X# will be conditions where legitimate internal TCP traffic will be X# included in the filter output. These reports do not constitute X# "false positives". You will be looking for occurrences of two X# connections reported, with the same source and destination IP addresses, X# the external routers MAC address as the source address, one connection X# being reported as TIMED_OUT with a SYN and SYN_SENT indicator, and the X# second connection reporting a SYN, SYN_SENT, CON_ESTABLISHED and either X# TIMED_OUT, CLOSED, or RESET state. In this situation, there should be X# high confidence that an IP spoof attack has occurred. X# X# Because of the various timeout conditions, the two status records will X# not necessarily be reported "in order". But careful inspection of the X# two Argus status record start_times, should show that the "probe" record X# precedes the "spoof" attempt. X# X# Technical Note: X# X# When trying to analyze for how "false positives" might occur in X# this scenario, one condition is possible. In some network X# configurations, the external router performs a reDIRect service for X# internal traffic. This generally occurs when an internal network relys X# on static "default" routing as its principle routing strategy, and in X# this case a part of many legitimate internal TCP connections will involve X# the external router. As a result, the routers MAC address will appear X# as the source MAC address in a part of the connection's datagrams, but X# the datagrams will have a local IP source address. X# X# When this situation occurs, and the Argus server experiences a high X# load, and subsequently drops a significant number of packets, "false X# positives" may occur. When Argus drops large numbers of packets, X# many TCP connections will be reported without the SYN and SYN_SENT X# conditions being seen. Without these indicators being seen in the majority X# of local TCP connection status reports, the reliability of this detection X# scheme decreases. In no way would we want to insure that this X# is a totally fool-proof method for detecting CA-95:01 attacks. If X# you do suspect, however, that a connection maybe spoofed, you should use X# investigate the matter thoroughly. X# X# X# We hope that you find this example helpful. X# X# X# FILE - name of the Argus FILE saved from a conr script once an hour X# DIR - archive DIRectory the FILE is saved to X# FREE_SPACE - free space on partition X# ARGUS_ADMIN - users to be notified via mail X# SPOOF_FILTER - Argus spoof filter X# SPOOF_OUTPUT - Argus spoof output FILE X# Xset FILE=argus.`date +%m.%d.%H`:00 Xset DIR=/usr/argus/archive Xset FREE_SPACE=`df /archive | tail -1 | awk '{ print $4 }'` Xset ARGUS_ADMIN=dante Xset SPOOF_FILTER="CA-95:01" Xset SPOOF_OUTPUT=spoof.out X# Xcd $DIR Xif ( ${FREE_SPACE} <= 20000 ) then X echo `hostname` has only ${FREE_SPACE} blocks left in ${DIR} \ X | /usr/ucb/mail -s "SPACE-PROBLEM" ${ARGUS_ADMIN} Xendif Xif ( ! -e ${DIR}/${FILE} | ${DIR}/${FILE} ) then X echo "Argus data FILE empty or deleted" | /usr/ucb/mail -s "ARGUS-PROBLEM"\ X ${ARGUS_ADMIN} X exit(1) Xendif X# X# check for IP spoofing X# Xif ( -e ./{SPOOF_OUTPUT} ) then X set spoofout_size=`ls -l ./${SPOOF_OUTPUT} | awk '{print $4}'` X /usr/argus/bin/ra -Mnc -r $DIR/$FILE -F ./${SPOOF_FILTER} \ X -w ./${SPOOF_OUTPUT} >/dev/null X if ( $spoofout_size < `ls -l ./${SPOOF_OUTPUT} | awk '{print $4}'` ) then X echo check ${DIR}/"${SPOOF_OUTPUT} | \ X /usr/ucb/mail -s "SPOOF-ALERT" ${ARGUS_ADMIN} X endif Xelse X /usr/argus/bin/ra -Mnc -r $DIR/$FILE -F ./${SPOOF_FILTER} \ X -w ./${SPOOF_OUTPUT} >/dev/null X if ( -e ./${SPOOF_OUTPUT} ) then X echo check ${DIR}/${SPOOF_OUTPUT}" | \ X /usr/ucb/mail -s "SPOOF-ALERT" ${ARGUS_ADMIN} X endif Xendif X# Xcompress -f $DIR/$FILE Xchmod 444 $DIR/$FILE.Z SHAR_EOF $shar_touch -am 0508141395 'argus-1.5/contrib/CA-95:01.scan.sh' && chmod 0555 'argus-1.5/contrib/CA-95:01.scan.sh' || echo 'restore of argus-1.5/contrib/CA-95:01.scan.sh failed' shar_count="`wc -c < 'argus-1.5/contrib/CA-95:01.scan.sh'`" test 5688 -eq "$shar_count" || echo "argus-1.5/contrib/CA-95:01.scan.sh: original size 5688, current size $shar_count" rm -f _sharnew.tmp fi rm -f _sharseq.tmp echo 'You have unpacked the last part' exit 0