gmane.network.argus

Re: raservices ((doesn't crash)) when processing

Matt Brown — 2013-05-17T18:25:58

With the 3.0.7.10 release, will you also change the ARGUSMAXSIGFILE in
../clients/include/argus_client.h ?


On May 17, 2013, at 12:32 PM, Carter Bullard <carter< at >qosient.com> wrote:

Hey Dave,
Its not ArgusMergeLabels() that has a problem.  raservices() is munging the
string that  ArgusMergeLabels() returns.  Copy this version of raservices.c,
to ./examples/raservices, and re-make.  Should fix things.

Carter

<raservices.c>



On May 17, 2013, at 11:42 AM, "Dave Edelman" <dedelman< at >iname.com> wrote:

Carter,

I have it working but I think that there is a problem with ArgusMergeLabels()
when it is set for ArgusUnion. If you look at the attached file, it seems
that the buffer is not being cleared correctly. I am running raservices
againstunclustered flow records that have been labeled by radium as they
arrive from the argus collector. I can provide the equivalent ra output if
you want, that’s why I included the offset.

--Dave


*From:* Carter Bullard [mailto:carter< at >qosient.com]
*Sent:* Thursday, May 16, 201

argus data labels and DNS names

Carter Bullard — 2013-05-17T17:51:22

Hey Dave,
I see that you're putting name resolutions in your flow data labels.  Good idea…
There are a lot of buttons and dials for name lookups in argus and the clients.
Now that someone is doing this on the list, we should turn this stuff on for labels.

In the new clients that I'll put up tonight/tomorrow, there are a few new
variables in the ./support/Config/ralabel.conf file to turn on/off various DNS
functions.

We have a non-blocking DNS resolver in the library, and clients like ratop() and
rasqlinsert() currently use it so that they are not blocking, waiting for the DNS query to
return. There is a new variable to turn that on or off.  If you MUST have a
DNS name at the time of labeling, then you would set this to "no".  If you
can handle lazy lookups, which keeps radium() going fast, then I would set
this to "yes".

There are a few new variables to specify what you want in the name,
host name only (truncate the domain name) or just the domain name
(snip off the leading chars upto the first ' . ').

Re: raservices crashes when processing

Carter Bullard — 2013-05-17T16:32:33

Hey Dave,
Its not ArgusMergeLabels() that has a problem.  raservices() is munging the 
string that  ArgusMergeLabels() returns.  Copy this version of raservices.c,
to ./examples/raservices, and re-make.  Should fix things.

Carter



On May 17, 2013, at 11:42 AM, "Dave Edelman" <dedelman< at >iname.com> wrote:

Re: raservices crashes when processing

Dave Edelman — 2013-05-17T15:42:16

Carter,
 
I have it working but I think that there is a problem with
ArgusMergeLabels() when it is set for ArgusUnion. If you look at the
attached file, it seems that the buffer is not being cleared correctly. I am
running raservices against unclustered flow records that have been labeled
by radium as they arrive from the argus collector. I can provide the
equivalent ra output if you want, that's why I included the offset.
 
--Dave
 
 
From: Carter Bullard [mailto:carter< at >qosient.com] 
Sent: Thursday, May 16, 2013 11:14 AM
To: Dave Edelman
Cc: 'Matt Brown'; argus-info< at >lists.andrew.cmu.edu
Subject: Re: [ARGUS] raservices crashes when processing
 
Hey Dave,
Of course, everything in the clients has a constant defined somewhere.
Change the value of ARGUSMAXSIGFILE in ./include/argus_client.h to
something like this:
 
==== //depot/argus/clients/include/argus_client.h#64 -
/Volumes/Users/carter/argus/clients/include/argus_client.h ====
142c142
< #define ARGUSMAXSIGFILE               2048
---
 
 
Carter
 
On May 16,

Re: raservices crashes when processing

Carter Bullard — 2013-05-16T16:53:59

Hey Matt,
Well 2K of signatures is too small, obviously, so, thanks for starting that fix.
But, if you don't mind, using the word crash is not good, so lets use the word
" fails ", unless, of course, it really does crash, then crash is the best term ;O)

So rauserdata() is designed to generate upto 16 signatures per application.
While it does want to try to leverage port numbers as application identifiers,
and since there are 64K ports, we probably should be ready for .5M of flows,
I suppose.  Just didn't want to allocate a chunk of memory, and not use it.

You don't need to aggregate the flows to build signatures, or to label
traffic.  I don't really recommend it, but it is a good starting point so, no
harm, no foul. 

Flows can change their character during the life of the flow, but if
you aggregate, you will only match on the " first X bytes " in the
flow.  The feature is really designed to allow you to continuously
monitor flows for application conformance, allow you to know if
the application is still w

Re: raservices crashes when processing

Matt Brown — 2013-05-16T15:58:51

Good Morning Carter,





As far as collecting user data, looks good to me:



# radump -r * -s suser duser | wc -l

195492

# radump -r * -s suser duser | grep 's\[0\]=""' | wc -l

36307

# radump -r * -s suser duser | grep 's\[[1-9].*' | wc -l

159184



I used the data file produced with rastream:

rastream -d -S 127.0.0.1:561 -B 15s -M time 1h <x-apple-data-detectors://1> -w
/var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh



argus running as:

argus -d -i eth0 -P 561



argus.conf with ARGUS_CAPTURE_DATA_LEN set:

# cat /etc/argus.conf | egrep -v '^$|^[#]'

ARGUS_FLOW_TYPE="Bidirectional"

ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"

ARGUS_MONITOR_ID="..." #         // String

ARGUS_SET_PID=yes

ARGUS_PID_PATH="/var/run"

ARGUS_FLOW_STATUS_INTERVAL=60

ARGUS_MAR_STATUS_INTERVAL=300

ARGUS_CAPTURE_DATA_LEN=256







Working off the contents of ../support/Config/sig.std and Dave's great
advice, I performed the following:

# racluster -r * -w day.cache

# rauserdata -r day.cache -M printer="encode32" >

Re: raservices crashes when processing

Carter Bullard — 2013-05-16T15:13:35

Hey Dave,
Of course, everything in the clients has a constant defined somewhere.
Change the value of ARGUSMAXSIGFILE in ./include/argus_client.h to
something like this:

==== //depot/argus/clients/include/argus_client.h#64 - /Volumes/Users/carter/argus/clients/include/argus_client.h ====
142c142
< #define ARGUSMAXSIGFILE2048
---


Carter

On May 16, 2013, at 8:51 AM, "Dave Edelman" <dedelman< at >iname.com> wrote:

Re: raservices crashes when processing

Dave Edelman — 2013-05-16T12:51:50

The std.sig is fine but it is 435 lines long. 
If I use rauserdata to create a filter file which is longer than 2048 lines (including empty lines) raservices segfaults. If I take the first middle or last 2048 lines of my filter file, raservices is fine. If I remove all of the blank lines from my filter file I can still use any 2048 lines with no problem but raservices segfaults on 2049 lines in the filter file.

--Dave

From: Carter Bullard [mailto:carter< at >qosient.com] 
Sent: Thursday, May 16, 2013 8:37 AM
To: Dave Edelman
Cc: Matt Brown; <argus-info< at >lists.andrew.cmu.edu>
Subject: Re: [ARGUS] raservices crashes when processing

Hey Dave,
Not sure that I follow your situation.  So you're having problems with the provided sig.std or one you created?

Carter

On May 15, 2013, at 8:59 PM, "Dave Edelman" <dedelman< at >iname.com> wrote:
I had the same results so I looked at an example in the argus-client distribution. /support/Config/std.sig has this header:

#  Services fingerprint file, generated by:
#      raus

Re: raservices crashes when processing

Carter Bullard — 2013-05-16T12:37:23

Hey Dave,
Not sure that I follow your situation.  So you're having problems with the provided sig.std or one you created?

Carter

On May 15, 2013, at 8:59 PM, "Dave Edelman" <dedelman< at >iname.com> wrote:

Re: raservices crashes when processing

Carter Bullard — 2013-05-16T12:30:19

Hey Matt,
This is not a crash, which is a programatic unrecoverable fault.  You just didn't generate a good raservices() configuration file.

Try using the provided ./support/Config/sig.std, as a starting point for raservices(), to see if you can get good labels?

Are you sucessfully generating user data yet?

Carter

On May 15, 2013, at 5:55 PM, Matt Brown <matthewbrown< at >gmail.com> wrote:

Anomaly detection

Craig Merchant — 2013-05-16T06:29:38

Carter,

Thank you so much for your analysis of the APT1 threats.  Those emails were extremely educational.

I wanted to pick your brain about a couple of things related to anomaly detection...

We backhaul all remote offices through a central network that Argus can monitor.  Since those remote offices use DHCP, it's hard for Argus to build a reliable model of "normal" behavior by IP address.   And it can't see the MAC addresses of flows from those remote offices.  What's the best approach for anomaly detection in that kind of scenario?  Do you look at the producer/consumer metrics of the whole DHCP subnet and then compare individual flows against that baseline?

What kind of anomaly detection strategy do you use for environments where you have farms of different functional roles - web, MTA, database, etc.?  Do you recommend building a behavioral model by individual host or would you compare individual hosts against a baseline for that class of system?

Thanks.

Craig

Re: raservices crashes when processing

Dave Edelman — 2013-05-16T00:59:23

I had the same results so I looked at an example in the argus-client
distribution. /support/Config/std.sig has this header:
 
#  Services fingerprint file, generated by:
#      rauserdata -d16 -e encode32
#
#  with modifications.
#
 
The -e option is for regular expression pattern matching so I replaced it
with  -M printer='encode32' and I didn't use a -d parameter and the output
looked much closer to the sample. I can now get raservices to core dump
reliably with a segfault. 
 
When I use the sample signature file and I tell raservices to output the
label by using the -s +label:50 I do get a bunch of labels with the value
srv=xxxxxx
 
My data is already the output of a day's worth of flows run through
racluster.
 
raservices -r argusTestData_2013_05_09  -f std.sig -s +label:50
  
2013-05-09-01:28:18.230  *U          udp          10.1.1.50 61266     ->
10.1.1.10 disca*        1        0          148            0
INT
            srv=ndmp
2013-05-09-16:10:32.206  *U          udp          10.1.1.50 61389     ->

raservices crashes when processing

Matt Brown — 2013-05-15T21:55:32

Hello all,



I took a day's worth of argus data and, as suggested on
http://thread.gmane.org/gmane.network.argus/6228/focus=6234, I analyzed it
with rauserdata as follows:



#racluster -r * -w day.cache

#rauserdata -r day.cache > /tmp/raservices.conf





I then inspected /tmp/raservices.conf and it's messy (lots of single lines
with arbirary ports, likely sport maybe rpc?), but I figured why not give
raservices a shot:



#racluster -r * -w - | raservices -f raservices.conf



I receive the following error:

raservices[21315]: 16:51:00.727719 RaCreateSrvEntry: format error Service:
http





I straced the process, and I see no occurances of "http" in the output
(other than the writev()); the data appears to be read correctly until a
blank line is read [read(3, "", 4096)                       = 0]:



read(3, "\"  \n\nService: 48956             "..., 4096) = 4096

read(3, "...xxxxxx"  dst ="..., 4096) = 4096

read(3, "xxxx"..., 4096) = 689

read(3, "", 4096)                       = 0

close(3)

Re: rastream 3.0.7.8, no suser duser

Carter Bullard — 2013-05-15T02:23:37

Hey Matt,
Try this included version of radump.c.  It should fix your bug.
Copy this into ./examples/radump, and recompile.

   % cp radump.c /path/to/your/clients/root/examples/radump
   % cd  /path/to/your/clients/root/examples/radump
   % make
   % ../../bin/radump -r argus.files -s suser

Carter 


Here is the patch, to see the changes.  Not many.....

osiris:radump carter$ p4 diff ...
==== //depot/argus/clients/examples/radump/radump.c#6 - /Users/carter/argus/clients/examples/radump/radump.c ====
298a299,301
308d310
<    if ((user = (struct ArgusDataStruct *)argus->dsrs[ind]) != NULL) {
314c316
<    }
---

Carter 



On May 14, 2013, at 12:09 PM, Carter Bullard <carter< at >qosient.com> wrote:

Re: rastream 3.0.7.8, no suser duser

Carter Bullard — 2013-05-14T16:09:49

Hey Matt,
If your radump() is having problems, send me a small file that has the records
that it dumps on, so I can fix it.  Please send the command line options you're
using, so I can replicate the bug.

radump() will try to decode the contents of the user data buffers, like tcpdump()
decodes packet data, so you can figure out what protocols are running on a
give flow.  We support a good number of protocol decodes, but not all of them,
so you maybe pushing an unknown protocol through radump() or you're not
capturing enough data to fully process a specific header type.

Not sure what radump() will do if there isn't user data to decode… It should be
fine……..

Most people will just printout the contents using ra(), which will simply print
the contents out in ascii.  Most are looking for URL's, DNS names, etc…
which are in ascii.

Carter

On May 14, 2013, at 12:00 PM, Matt Brown <matthewbrown< at >gmail.com> wrote:

Re: rastream 3.0.7.8, no suser duser

Carter Bullard — 2013-05-14T16:01:52

Hey Matt,
Dave is right on.  You have to turn on user data capture at record generation.
… so argus needs to be configured to do so.  You can do that with the -U nnnnn 
option, on the command line, or you can set it in your /etc/argus.conf file,
using the ARGUS_CAPTURE_DATA_LEN=nnn variable setting.

To test that this is the case, you can connect to every component in your
data flow system, and print out your field of interest, to see where they
are, and where they aren't.  If you get back to the component that is
suppose to generate the data element,  and your object is not there,
then, you'll know what needs to be fixed.

When you have an argus data flow system that has a bunch of argi,
being collected and processed by a set of radii, that are labeling,
filtering, stripping, and correlating data, you may need to " debug "
the data train, to figure out what is going on.  So connecting to any
and all at the same time is a helpful way to debug your system.

 Carter


On May 14, 2013, at 11:50 AM, "Dave Edel

Re: rastream 3.0.7.8, no suser duser

Matt Brown — 2013-05-14T16:00:14

Thanks Dave.

I found a thread where carter suggested using radump to see suser and
duser.  I can see some ARP contents, but radump quickly segfaults. Why
is this?

I'm guessing rastream saves some amount of these fields by default?

I can not see these field contents with ra or racluster.  Does this make sense?


Thanks for the reply,

Matt


On May 14, 2013, at 11:51 AM, Dave Edelman <dedelman< at >iname.com> wrote:

Re: rastream 3.0.7.8, no suser duser

Dave Edelman — 2013-05-14T15:50:35

You need to tell argus to collect that data with the -U nnn option where nnn
is the number of bytes of user data you want to keep for each flow.

--Dave

Re: Additional rasqlinsert information

Carter Bullard — 2013-05-14T15:32:26

Hey Dave,
Yes, any data that was generated through RMON aggregation that had a non-default
aggregation model, that included the " proto " field, would have expressed the problem.

Popped up in argus-clients-3.0.7.5, I believe, but should be fine now.

Also in this release, you can do filtering and sorting based on the ABR metric.
We discovered that floating point parsing in the compiler was broken, but that
is now fixed, so a filter like:

   ra - abr -0.0

now works.  We also found out that some getopt() implementations, have moved
to using " -- " as the end of options indicator, so if you use a negative token in
the filter, and you get a syntax error, it maybe that you need to add another dash
to the end of your options.  As a result, in the above example, you may have to do this.

   ra -- abr -0.0

Holler if you find anything that looks unexpected,

Carter

On May 14, 2013, at 9:57 AM, "Dave Edelman" <dedelman< at >iname.com> wrote:

rastream 3.0.7.8, no suser duser

Matt Brown — 2013-05-14T14:50:57

Hello all/Carter,

I am using rastream to write argus data to files.

When I query these files using ra or racluster, suser and duser are
not returning any data.

I'm guessing it isn't being written by rastream which has been started
as follows:

rastream -S 127.0.0.1:561 -B 15s -M time 1h -w
/var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh

How do I use rastream to record N bytes of suser and duser?


Thanks,

Matt

Re: Additional rasqlinsert information

Dave Edelman — 2013-05-14T13:57:30

Carter,

Thanks, this is looking much better. I did have to drop the tables that had
the problem data and then everything started to work well.

--Dave

right
the
in