gmane.network.argus

argus-clients-3.0.7.10 on the dev server

Carter Bullard — 2013-05-21T03:22:17

Gentle people,
I've uploaded argus-clients-3.0.7.10 to the development server.
This fixes all the known bugs reported, except the report today regarding
rastream().  This includes, raservices() signature limits, fixes to the
" delayed " filter compiler reporting syntax errors, removal of the
syslog error for "timestamps wayyyy out of range" error reports,
radump() problems when there isn't any user data, fixes to flow key
processing when using RMON aggregation, and CIDR address issues.

   http://qosient.com/argus/dev/argus-clients-3.0.7.10.tar.gz

Please give this version a try.  I'd like to make it are the next round the
nex argus-clients-3.0.8 stable version.

Hope all is most excellent,

Carter

Rastream doesn't rotate properly when daemonied?

Matt Brown — 2013-05-20T18:42:28

Hello All:





I am having a problem with rastream that's manifested itself when using the
-f "shell script executor" argument to rotate files at 'time
1h<x-apple-data-detectors://0>
'.





If I run rastream as a daemon, then the script seems to run before the
"hour" is over (and the "hour" is over at the incorrect time):

# rastream -d -S 127.0.0.1:561 -B 15s -M time 1h<x-apple-data-detectors://1> -w
/var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh



A few hours' files look like:



# ls --full-time /var/opt/argus/2013-05-18

total 3728

-rw-r--r--. 1 root  18752 2013-05-18 01:00:59.556839459 -0400
argus_00:00:00<x-apple-data-detectors://3>

-rw-r--r--. 1 root 160607 2013-05-18 01:00:17.793286000 -0400
argus_00:00:00.gz

-rw-r--r--. 1 root  12068 2013-05-18 02:00:59.619364943 -0400
argus_01:00:00<x-apple-data-detectors://6>

-rw-r--r--. 1 root 163409 2013-05-18 02:00:17.943700000 -0400
argus_01:00:00.gz

-rw-r--r--. 1 root   9032 2013-05-1803:01:00.579907536 -0400
argus_02:00:00<x-apple-data-detectors://9>

-rw-r--r--. 1 root 122920 2013-05-18 03:00:17.834317000 -0400
argus_02:00:00.gz

-rw-r--r--. 1 root  22092 2013-05-18 04:01:00.698357771 -0400
argus_03:00:00<x-apple-data-detectors://12>

-rw-r--r--. 1 root 122002 2013-05-18 04:00:17.835675000 -0400
argus_03:00:00.gz

-rw-r--r--. 1 root  17704 2013-05-18 05:01:00.450618851 -0400
argus_04:00:00<x-apple-data-detectors://15>

-rw-r--r--. 1 root 133212 2013-05-18 05:00:17.742040000 -0400
argus_04:00:00.gz

-rw-r--r--. 1 root  14592 2013-05-18 06:00:54.886285774 -0400
argus_05:00:00<x-apple-data-detectors://18>

-rw-r--r--. 1 root 160523 2013-05-18 06:00:17.562776000 -0400
argus_05:00:00.gz



It looks like the gzipped file is last modified before the hour file, which
leads me to believe that rastream isn't finished writing to the argus file
before -f[] is executed.





If I run rastream as follows, I have no problem:

# nohup rastream -S 127.0.0.1:561 -B 15s -M time
1h<x-apple-data-detectors://20> -w
/var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh &



A few hours' files look like:



#  ls --full-time /var/opt/argus/2013-05-20

total 5372

-rw-r--r--. 1 root 217245 2013-05-20 10:00:17.573908000 -0400
argus_09:00:00.gz

-rw-r--r--. 1 root   6377 2013-05-2011:00:17.762140000 -0400
argus_10:00:00.gz

-rw-r--r--. 1 root   9269 2013-05-2011:38:08.879810000 -0400
argus_11:00:00.gz

-rw-r--r--. 1 root    313 2013-05-2013:00:17.170958000 -0400
argus_12:00:00.gz

-rw-r--r--. 1 root   8965 2013-05-2014:00:17.540889000 -0400
argus_13:00:00.gz



(early day over there)







I have verified that the system time is correct and ntpd is running
properly.



Clients are 3.0.7.9.





Carter, do you have any ideas?





Thanks,



Matt

Re: Ra - filter syntax error

Carter Bullard — 2013-05-20T14:01:49

Hey Elof,
Great, and thanks for the info.  While the clients will be blocked waiting for the filter to be compiled, because this is structured as a deadman timer, if the compiler returns quickly, there won't be any delay.

For remote accesses, we don't connect until we've compiled the filter.  The logic is if we can't compile the filter, the remote won't be able to either...so a long time wait for the local compiler won't over run us with data.

I'll make it 1sec in the code base until I hear otherwise.
Carter


On May 20, 2013, at 7:41 AM, elof2< at >sentor.se wrote:

Ra - filter syntax error

2013-05-20T11:41:56

Carter and I have discussed a very unusual error message; "filter syntax 
error", which may show up if the machine is HEAVILY burdened, like 
swapping a lot and/or receiving tons of interrupts, while feeding a long 
and complex filter expression to a ra* process.


I suggest that Carter add a specific error message for this 
particular scenario, logging the message "filter compilation timeout" 
instead of the generic "filter syntax error".



During the weekend I've had cron start ra with a long and complex filter 
string every 5 minutes.
With a timeout of 500ms, I had 9 "filter syntax error" in 34 hours.
(on an old Intel Xeon 3050 < at > 2.13GHz machine from 2008)
(with 200ms I suspect I would have had approx 300 warnings)


So to prevent this message to appear "too often" on choked machines, you 
could increase the wait.tv_usec to 750000  ...or even higher if a higher 
value doesn't introduce any overall negative impact on ra*.



I now upped the timeout to 900000 just to see if that is enough to quell 
even those 9 warnings.

/Elof

Re: raservices ((doesn't crash)) when processing

Matt Brown — 2013-05-17T18:25:58

With the 3.0.7.10 release, will you also change the ARGUSMAXSIGFILE in
../clients/include/argus_client.h ?


On May 17, 2013, at 12:32 PM, Carter Bullard <carter< at >qosient.com> wrote:

Hey Dave,
Its not ArgusMergeLabels() that has a problem.  raservices() is munging the
string that  ArgusMergeLabels() returns.  Copy this version of raservices.c,
to ./examples/raservices, and re-make.  Should fix things.

Carter

<raservices.c>



On May 17, 2013, at 11:42 AM, "Dave Edelman" <dedelman< at >iname.com> wrote:

Carter,

I have it working but I think that there is a problem with ArgusMergeLabels()
when it is set for ArgusUnion. If you look at the attached file, it seems
that the buffer is not being cleared correctly. I am running raservices
againstunclustered flow records that have been labeled by radium as they
arrive from the argus collector. I can provide the equivalent ra output if
you want, that’s why I included the offset.

--Dave


*From:* Carter Bullard [mailto:carter< at >qosient.com]
*Sent:* Thursday, May 16, 2013 11:14 AM
*To:* Dave Edelman
*Cc:* 'Matt Brown'; argus-info< at >lists.andrew.cmu.edu
*Subject:* Re: [ARGUS] raservices crashes when processing

Hey Dave,
Of course, everything in the clients has a constant defined somewhere.
Change the value of ARGUSMAXSIGFILE in ./include/argus_client.h to
something like this:

==== //depot/argus/clients/include/argus_client.h#64 -
/Volumes/Users/carter/argus/clients/include/argus_client.h ====
142c142
< #define ARGUSMAXSIGFILE               2048
---


Carter

On May 16, 2013, at 8:51 AM, "Dave Edelman" <dedelman< at >iname.com> wrote:


The std.sig is fine but it is 435 lines long.
If I use rauserdata to create a filter file which is longer than 2048 lines
(including empty lines) raservices segfaults. If I take the first middle or
last 2048 lines of my filter file, raservices is fine. If I remove all of
the blank lines from my filter file I can still use any 2048 lines with no
problem but raservices segfaults on 2049 lines in the filter file.

--Dave

*From:* Carter Bullard [mailto:carter< at >qosient.com]
*Sent:* Thursday, May 16, 2013 8:37 AM
*To:* Dave Edelman
*Cc:* Matt Brown; <argus-info< at >lists.andrew.cmu.edu>
*Subject:* Re: [ARGUS] raservices crashes when processing

Hey Dave,
Not sure that I follow your situation.  So you're having problems with the
provided sig.std or one you created?

Carter


On May 15, 2013, at 8:59 PM, "Dave Edelman" <dedelman< at >iname.com> wrote:

I had the same results so I looked at an example in the argus-client
distribution. /support/Config/std.sig has this header:

#  Services fingerprint file, generated by:
#      rauserdata -d16 -e encode32
#
#  with modifications.
#

The –e option is for regular expression pattern matching so I replaced it
with  -M printer=’encode32’ and I didn’t use a –d parameter and the output
looked much closer to the sample. I can now get raservices to core dump
reliably with a segfault.

When I use the sample signature file and I tell raservices to output the
label by using the –s +label:50 I do get a bunch of labels with the value
srv=xxxxxx

My data is already the output of a day’s worth of flows run through
racluster.

raservices -r argusTestData_2013_05_09  -f std.sig -s +label:50

2013-05-09-01:28:18.230  *U          udp          10.1.1.50 61266
->          10.1.1.10 disca*        1        0         148
0              INT
            srv=ndmp
2013-05-09-16:10:32.206  *U          udp          10.1.1.50 61389
  ->          10.1.1.10 disca*        1        0         148
0              INT
            srv=ndmp

So I took the first 500 lines of my filter file and attempted to use that
rather than the full file
head -500 userdata.out > smallUesrData
raservices -r argusTestData_2013_05_09  -f smallUesrData  -s +label:50  |
head -30
              StartTime      Flgs  Proto            SrcAddr  Sport
Dir            DstAddr  Dport  SrcPkts  DstPkts
SrcBytes    DstBytes            State
               Label
2013-05-09-23:00:03.294              man                  0
0                        0      0        0        0            0
0              STA
2013-05-09-00:00:01.993  * d         tcp          10.1.1.45 50899
<?>          10.1.1.10 micro*  9075967 13492977   1560166894
15748525452              CON
    srv=microsoft-ds
2013-05-09-00:00:28.890  * &         tcp          10.1.1.50 iad3
<?>          10.1.1.10 micro*  2034770 2870198    349463675
3595651910              CON
    srv=microsoft-ds

Now for the  binary search J  my filter file has 4316 lines.  If I use the
first 2048 I am fine, 2049 ends us with a segfault. I delete the first 100
lines of the original file and the first 2048 still works and 2049 still
dies. This could be a clue.

--Dave






*From:* argus-info-bounces+dedelman=iname.com< at >lists.andrew.cmu.edu [
mailto:argus-info-bounces+dedelman=iname.com< at >lists.andrew.cmu.edu<argus-info-bounces+dedelman=iname.com< at >lists.andrew.cmu.edu>
] *On Behalf Of *Matt Brown
*Sent:* Wednesday, May 15, 2013 5:56 PM
*To:* argus-info< at >lists.andrew.cmu.edu
*Subject:* [ARGUS] raservices crashes when processing

Hello all,

I took a day's worth of argus data and, as suggested on
http://thread.gmane.org/gmane.network.argus/6228/focus=6234, I analyzed it
with rauserdata as follows:

#racluster -r * -w day.cache
#rauserdata -r day.cache > /tmp/raservices.conf


I then inspected /tmp/raservices.conf and it's messy (lots of single lines
with arbirary ports, likely sport maybe rpc?), but I figured why not give
raservices a shot:

#racluster -r * -w - | raservices -f raservices.conf

I receive the following error:
raservices[21315]: 16:51:00.727719 RaCreateSrvEntry: format error Service:
http


I straced the process, and I see no occurances of "http" in the output
(other than the writev()); the data appears to be read correctly until a
blank line is read [read(3, "", 4096)                       = 0]:

read(3, "\"  \n\nService: 48956             "..., 4096) = 4096
read(3, "...xxxxxx"  dst ="..., 4096) = 4096
read(3, "xxxx"..., 4096) = 689
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb766e000, 4096)                = 0
gettimeofday({1368651683, 272271}, NULL) = 0
time(NULL)                              = 1368651683
writev(2, [{"raservices[21523]: 17:01:23.2722"..., 79}, {"\n", 1}],
2raservices[21523]: 17:01:23.272271 RaCreateSrvEntry: format error Service:
http
) = 80


Any idea on why this would be?  Is my data processing flow incorrect?


Both clients are 3.0.7.8.


Thanks,

Matt

argus data labels and DNS names

Carter Bullard — 2013-05-17T17:51:22

Hey Dave,
I see that you're putting name resolutions in your flow data labels.  Good idea…
There are a lot of buttons and dials for name lookups in argus and the clients.
Now that someone is doing this on the list, we should turn this stuff on for labels.

In the new clients that I'll put up tonight/tomorrow, there are a few new
variables in the ./support/Config/ralabel.conf file to turn on/off various DNS
functions.

We have a non-blocking DNS resolver in the library, and clients like ratop() and
rasqlinsert() currently use it so that they are not blocking, waiting for the DNS query to
return. There is a new variable to turn that on or off.  If you MUST have a
DNS name at the time of labeling, then you would set this to "no".  If you
can handle lazy lookups, which keeps radium() going fast, then I would set
this to "yes".

There are a few new variables to specify what you want in the name,
host name only (truncate the domain name) or just the domain name
(snip off the leading chars upto the first ' . ').  These can be helpful.

Currently, radium(), when it does name lookups, caches the name …..
forever.  A name cache timeout can be useful, especially since programs
like radium() can run for a long time.  0 means turn the cache off, which
can be expensive.  -1 will yield an infinite cache.

Give these a try, when they come out in argus-clients-3.0.7.10, later today/tomorrow.

Carter


On May 17, 2013, at 12:32 PM, Carter Bullard <carter< at >qosient.com> wrote:

Re: raservices crashes when processing

Carter Bullard — 2013-05-17T16:32:33

Hey Dave,
Its not ArgusMergeLabels() that has a problem.  raservices() is munging the 
string that  ArgusMergeLabels() returns.  Copy this version of raservices.c,
to ./examples/raservices, and re-make.  Should fix things.

Carter



On May 17, 2013, at 11:42 AM, "Dave Edelman" <dedelman< at >iname.com> wrote:

Re: raservices crashes when processing

Dave Edelman — 2013-05-17T15:42:16

Carter,
 
I have it working but I think that there is a problem with
ArgusMergeLabels() when it is set for ArgusUnion. If you look at the
attached file, it seems that the buffer is not being cleared correctly. I am
running raservices against unclustered flow records that have been labeled
by radium as they arrive from the argus collector. I can provide the
equivalent ra output if you want, that's why I included the offset.
 
--Dave
 
 
From: Carter Bullard [mailto:carter< at >qosient.com] 
Sent: Thursday, May 16, 2013 11:14 AM
To: Dave Edelman
Cc: 'Matt Brown'; argus-info< at >lists.andrew.cmu.edu
Subject: Re: [ARGUS] raservices crashes when processing
 
Hey Dave,
Of course, everything in the clients has a constant defined somewhere.
Change the value of ARGUSMAXSIGFILE in ./include/argus_client.h to
something like this:
 
==== //depot/argus/clients/include/argus_client.h#64 -
/Volumes/Users/carter/argus/clients/include/argus_client.h ====
142c142
< #define ARGUSMAXSIGFILE               2048
---
 
 
Carter
 
On May 16, 2013, at 8:51 AM, "Dave Edelman" <dedelman< at >iname.com> wrote:



The std.sig is fine but it is 435 lines long.
If I use rauserdata to create a filter file which is longer than 2048 lines
(including empty lines) raservices segfaults. If I take the first middle or
last 2048 lines of my filter file, raservices is fine. If I remove all of
the blank lines from my filter file I can still use any 2048 lines with no
problem but raservices segfaults on 2049 lines in the filter file.
 
--Dave
 
From: Carter Bullard [mailto:carter< at >qosient.com] 
Sent: Thursday, May 16, 2013 8:37 AM
To: Dave Edelman
Cc: Matt Brown; <argus-info< at >lists.andrew.cmu.edu>
Subject: Re: [ARGUS] raservices crashes when processing
 
Hey Dave,
Not sure that I follow your situation.  So you're having problems with the
provided sig.std or one you created?
 
Carter

On May 15, 2013, at 8:59 PM, "Dave Edelman" < <mailto:dedelman< at >iname.com>
dedelman< at >iname.com> wrote:
I had the same results so I looked at an example in the argus-client
distribution. /support/Config/std.sig has this header:
 
#  Services fingerprint file, generated by:
#      rauserdata -d16 -e encode32
#
#  with modifications.
#
 
The -e option is for regular expression pattern matching so I replaced it
with  -M printer='encode32' and I didn't use a -d parameter and the output
looked much closer to the sample. I can now get raservices to core dump
reliably with a segfault.
 
When I use the sample signature file and I tell raservices to output the
label by using the -s +label:50 I do get a bunch of labels with the value
srv=xxxxxx
 
My data is already the output of a day's worth of flows run through
racluster.
 
raservices -r argusTestData_2013_05_09  -f std.sig -s +label:50
 
2013-05-09-01:28:18.230  *U          udp          10.1.1.50 61266     ->
10.1.1.10 disca*        1        0         148            0              INT
            srv=ndmp
2013-05-09-16:10:32.206  *U          udp          10.1.1.50 61389     ->
10.1.1.10 disca*        1        0         148            0              INT
            srv=ndmp
 
So I took the first 500 lines of my filter file and attempted to use that
rather than the full file
head -500 userdata.out > smallUesrData
raservices -r argusTestData_2013_05_09  -f smallUesrData  -s +label:50  |
head -30
              StartTime      Flgs  Proto            SrcAddr  Sport   Dir
DstAddr  Dport  SrcPkts  DstPkts     SrcBytes    DstBytes            State
               Label
2013-05-09-23:00:03.294              man                  0      0
0      0        0        0            0            0              STA
2013-05-09-00:00:01.993  * d         tcp          10.1.1.45 50899    <?>
10.1.1.10 micro*  9075967 13492977   1560166894  15748525452
CON
    srv=microsoft-ds
2013-05-09-00:00:28.890  * &         tcp          10.1.1.50 iad3     <?>
10.1.1.10 micro*  2034770 2870198    349463675   3595651910              CON
    srv=microsoft-ds
 
Now for the  binary search J  my filter file has 4316 lines.  If I use the
first 2048 I am fine, 2049 ends us with a segfault. I delete the first 100
lines of the original file and the first 2048 still works and 2049 still
dies. This could be a clue.
 
--Dave
 
 
 
 
 
 
From:  <mailto:argus-info-bounces+dedelman=iname.com< at >lists.andrew.cmu.edu>
argus-info-bounces+dedelman=iname.com< at >lists.andrew.cmu.edu [
<mailto:argus-info-bounces+dedelman=iname.com< at >lists.andrew.cmu.edu>
mailto:argus-info-bounces+dedelman=iname.com< at >lists.andrew.cmu.edu] On Behalf
Of Matt Brown
Sent: Wednesday, May 15, 2013 5:56 PM
To:  <mailto:argus-info< at >lists.andrew.cmu.edu>
argus-info< at >lists.andrew.cmu.edu
Subject: [ARGUS] raservices crashes when processing
 
Hello all,
 
I took a day's worth of argus data and, as suggested on
<http://thread.gmane.org/gmane.network.argus/6228/focus=6234>
http://thread.gmane.org/gmane.network.argus/6228/focus=6234, I analyzed it
with rauserdata as follows:
 
#racluster -r * -w day.cache
#rauserdata -r day.cache > /tmp/raservices.conf
 
 
I then inspected /tmp/raservices.conf and it's messy (lots of single lines
with arbirary ports, likely sport maybe rpc?), but I figured why not give
raservices a shot:
 
#racluster -r * -w - | raservices -f raservices.conf
 
I receive the following error:
raservices[21315]: 16:51:00.727719 RaCreateSrvEntry: format error Service:
http
 
 
I straced the process, and I see no occurances of "http" in the output
(other than the writev()); the data appears to be read correctly until a
blank line is read [read(3, "", 4096)                       = 0]:
 
read(3, "\"  \n\nService: 48956             "..., 4096) = 4096
read(3, "...xxxxxx"  dst ="..., 4096) = 4096
read(3, "xxxx"..., 4096) = 689
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb766e000, 4096)                = 0
gettimeofday({ <tel:1368651683> 1368651683, 272271}, NULL) = 0
time(NULL)                              =  <tel:1368651683> 1368651683
writev(2, [{"raservices[21523]: 17:01:23.2722"..., 79}, {"\n", 1}],
2raservices[21523]: 17:01:23.272271 RaCreateSrvEntry: format error Service:
http
) = 80
 
 
Any idea on why this would be?  Is my data processing flow incorrect?
 
 
Both clients are 3.0.7.8.
 
 
Thanks,
 
Matt

Re: raservices crashes when processing

Carter Bullard — 2013-05-16T16:53:59

Hey Matt,
Well 2K of signatures is too small, obviously, so, thanks for starting that fix.
But, if you don't mind, using the word crash is not good, so lets use the word
" fails ", unless, of course, it really does crash, then crash is the best term ;O)

So rauserdata() is designed to generate upto 16 signatures per application.
While it does want to try to leverage port numbers as application identifiers,
and since there are 64K ports, we probably should be ready for .5M of flows,
I suppose.  Just didn't want to allocate a chunk of memory, and not use it.

You don't need to aggregate the flows to build signatures, or to label
traffic.  I don't really recommend it, but it is a good starting point so, no
harm, no foul. 

Flows can change their character during the life of the flow, but if
you aggregate, you will only match on the " first X bytes " in the
flow.  The feature is really designed to allow you to continuously
monitor flows for application conformance, allow you to know if
the application is still what it started out to be.  Now, of course
there are some flows that start out as one thing, and end up
doing something else.  Starts out http, but downloads code, video,
audio, etc… would be nice to know that it does that.

One of the ways that I demonstrated this feature, was to ftp some
large directories that had lots of different file types, including argus
data, encrypted payloads, packet data, etc…   With argus generating
1-5 second status records, and graphing the services label that
raservices() generated for the status records, you could see when
the ftp changed file types, and the labels would reflect the content
types of the file….  Pretty cool.

Carter


On May 16, 2013, at 11:58 AM, Matt Brown <matthewbrown< at >gmail.com> wrote:

Re: raservices crashes when processing

Matt Brown — 2013-05-16T15:58:51

Good Morning Carter,





As far as collecting user data, looks good to me:



# radump -r * -s suser duser | wc -l

195492

# radump -r * -s suser duser | grep 's\[0\]=""' | wc -l

36307

# radump -r * -s suser duser | grep 's\[[1-9].*' | wc -l

159184



I used the data file produced with rastream:

rastream -d -S 127.0.0.1:561 -B 15s -M time 1h <x-apple-data-detectors://1> -w
/var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh



argus running as:

argus -d -i eth0 -P 561



argus.conf with ARGUS_CAPTURE_DATA_LEN set:

# cat /etc/argus.conf | egrep -v '^$|^[#]'

ARGUS_FLOW_TYPE="Bidirectional"

ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"

ARGUS_MONITOR_ID="..." #         // String

ARGUS_SET_PID=yes

ARGUS_PID_PATH="/var/run"

ARGUS_FLOW_STATUS_INTERVAL=60

ARGUS_MAR_STATUS_INTERVAL=300

ARGUS_CAPTURE_DATA_LEN=256







Working off the contents of ../support/Config/sig.std and Dave's great
advice, I performed the following:

# racluster -r * -w day.cache

# rauserdata -r day.cache -M printer="encode32" > /tmp/raservices.conf



Even without editing the file (clearly needs to be analyzed and thinned
down to be useful), I tried to run raservices to analyze some data:



# racluster -r * -s saddr daddr dport suser duser -w - | raservices -f
/tmp/raservices.conf

and it segfaults… (as with Dave)



# racluster -r * -N 50 -s saddr daddr dport suser duser -w - | raservices
-f ~/argus-clients-3.0.7.8/support/Config/std.sig -s saddr daddr dport
bytes label:20

.. produces though and is really very cool!





Thanks for drilling into the problem Dave!

Thanks Carter for the solution: adjusting '#define ARGUSMAXSIGFILE` in
../clients/include/argus_client.h then recompiling

I suppose the file should not need to be larger than 2048 anyway, right?





Does anyone have any interest sharing their own raservice conf file?





I also performed what Dave explained, encoding to all other data types, and
'hex' seems to be accepted by raservices, but segfaults (without changing
ARGUSMAXSIGFILE from 2048):

rauserdata -r day.cache -M printer="hex" | head -n 50 > /tmp/raservices.conf

racluster -r * -s saddr daddr dport suser duser -w - | raservices -f
/tmp/raservices.conf -s saddr daddr dport bytes label:20





So, the raservices conf file should be only as large as it needs to be to
define suser and duser contents as a protocol.  It can contain data encoded
in 32 bit chars, or maybe hex, and if it's over 2048 bytes, you must adjust
the constant and recompile the clients.  Sounds right?





Thanks very much guys!



Matt

On May 16, 2013, at 8:30 AM, Carter Bullard <carter< at >qosient.com> wrote:

Hey Matt,
This is not a crash, which is a programatic unrecoverable fault.  You just
didn't generate a good raservices() configuration file.

Try using the provided ./support/Config/sig.std, as a starting point for
raservices(), to see if you can get good labels?

Are you sucessfully generating user data yet?

Carter

On May 15, 2013, at 5:55 PM, Matt Brown <matthewbrown< at >gmail.com> wrote:

Hello all,



I took a day's worth of argus data and, as suggested on
http://thread.gmane.org/gmane.network.argus/6228/focus=6234, I analyzed it
with rauserdata as follows:



#racluster -r * -w day.cache

#rauserdata -r day.cache > /tmp/raservices.conf





I then inspected /tmp/raservices.conf and it's messy (lots of single lines
with arbirary ports, likely sport maybe rpc?), but I figured why not give
raservices a shot:



#racluster -r * -w - | raservices -f raservices.conf



I receive the following error:

raservices[21315]: 16:51:00.727719 RaCreateSrvEntry: format error Service:
http





I straced the process, and I see no occurances of "http" in the output
(other than the writev()); the data appears to be read correctly until a
blank line is read [read(3, "", 4096)                       = 0]:



read(3, "\"  \n\nService: 48956             "..., 4096) = 4096

read(3, "...xxxxxx"  dst ="..., 4096) = 4096

read(3, "xxxx"..., 4096) = 689

read(3, "", 4096)                       = 0

close(3)                                = 0

munmap(0xb766e000, 4096)                = 0

gettimeofday({1368651683, 272271}, NULL) = 0

time(NULL)                              = 1368651683

writev(2, [{"raservices[21523]: 17:01:23.2722"..., 79}, {"\n", 1}],
2raservices[21523]: 17:01:23.272271 RaCreateSrvEntry: format error Service:
http

) = 80





Any idea on why this would be?  Is my data processing flow incorrect?





Both clients are 3.0.7.8.





Thanks,



Matt

Re: raservices crashes when processing

Carter Bullard — 2013-05-16T15:13:35

Hey Dave,
Of course, everything in the clients has a constant defined somewhere.
Change the value of ARGUSMAXSIGFILE in ./include/argus_client.h to
something like this:

==== //depot/argus/clients/include/argus_client.h#64 - /Volumes/Users/carter/argus/clients/include/argus_client.h ====
142c142
< #define ARGUSMAXSIGFILE2048
---


Carter

On May 16, 2013, at 8:51 AM, "Dave Edelman" <dedelman< at >iname.com> wrote:

Re: raservices crashes when processing

Dave Edelman — 2013-05-16T12:51:50

The std.sig is fine but it is 435 lines long. 
If I use rauserdata to create a filter file which is longer than 2048 lines (including empty lines) raservices segfaults. If I take the first middle or last 2048 lines of my filter file, raservices is fine. If I remove all of the blank lines from my filter file I can still use any 2048 lines with no problem but raservices segfaults on 2049 lines in the filter file.

--Dave

From: Carter Bullard [mailto:carter< at >qosient.com] 
Sent: Thursday, May 16, 2013 8:37 AM
To: Dave Edelman
Cc: Matt Brown; <argus-info< at >lists.andrew.cmu.edu>
Subject: Re: [ARGUS] raservices crashes when processing

Hey Dave,
Not sure that I follow your situation.  So you're having problems with the provided sig.std or one you created?

Carter

On May 15, 2013, at 8:59 PM, "Dave Edelman" <dedelman< at >iname.com> wrote:
I had the same results so I looked at an example in the argus-client distribution. /support/Config/std.sig has this header:

#  Services fingerprint file, generated by:
#      rauserdata -d16 -e encode32
#
#  with modifications.
#

The –e option is for regular expression pattern matching so I replaced it with  -M printer=’encode32’ and I didn’t use a –d parameter and the output looked much closer to the sample. I can now get raservices to core dump reliably with a segfault. 

When I use the sample signature file and I tell raservices to output the label by using the –s +label:50 I do get a bunch of labels with the value srv=xxxxxx

My data is already the output of a day’s worth of flows run through racluster.

raservices -r argusTestData_2013_05_09  -f std.sig -s +label:50

2013-05-09-01:28:18.230  *U          udp          10.1.1.50 61266     ->          10.1.1.10 disca*        1        0          148            0              INT
            srv=ndmp
2013-05-09-16:10:32.206  *U          udp          10.1.1.50 61389     ->          10.1.1.10 disca*        1        0          148            0              INT
            srv=ndmp

So I took the first 500 lines of my filter file and attempted to use that rather than the full file
head -500 userdata.out > smallUesrData
raservices -r argusTestData_2013_05_09  -f smallUesrData  -s +label:50  | head -30
              StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  SrcPkts  DstPkts     SrcBytes     DstBytes            State
               Label
2013-05-09-23:00:03.294              man                  0      0                        0      0        0        0            0            0              STA
2013-05-09-00:00:01.993  * d         tcp          10.1.1.45 50899    <?>          10.1.1.10 micro*  9075967 13492977   1560166894  15748525452              CON
    srv=microsoft-ds
2013-05-09-00:00:28.890  * &         tcp          10.1.1.50 iad3     <?>          10.1.1.10 micro*  2034770  2870198    349463675   3595651910              CON
    srv=microsoft-ds

Now for the  binary search J  my filter file has 4316 lines.  If I use the first 2048 I am fine, 2049 ends us with a segfault. I delete the first 100 lines of the original file and the first 2048 still works and 2049 still dies. This could be a clue.

--Dave 

From: argus-info-bounces+dedelman=iname.com< at >lists.andrew.cmu.edu [mailto:argus-info-bounces+dedelman=iname.com< at >lists.andrew.cmu.edu] On Behalf Of Matt Brown
Sent: Wednesday, May 15, 2013 5:56 PM
To: argus-info< at >lists.andrew.cmu.edu
Subject: [ARGUS] raservices crashes when processing

Hello all,

I took a day's worth of argus data and, as suggested on http://thread.gmane.org/gmane.network.argus/6228/focus=6234, I analyzed it with rauserdata as follows:

#racluster -r * -w day.cache
#rauserdata -r day.cache > /tmp/raservices.conf

I then inspected /tmp/raservices.conf and it's messy (lots of single lines with arbirary ports, likely sport maybe rpc?), but I figured why not give raservices a shot:

#racluster -r * -w - | raservices -f raservices.conf

I receive the following error:
raservices[21315]: 16:51:00.727719 RaCreateSrvEntry: format error Service: http

I straced the process, and I see no occurances of "http" in the output (other than the writev()); the data appears to be read correctly until a blank line is read [read(3, "", 4096)                       = 0]:

read(3, "\"  \n\nService: 48956             "..., 4096) = 4096
read(3, "...xxxxxx"  dst ="..., 4096) = 4096
read(3, "xxxx"..., 4096) = 689
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb766e000, 4096)                = 0
gettimeofday({1368651683, 272271}, NULL) = 0
time(NULL)                              = 1368651683
writev(2, [{"raservices[21523]: 17:01:23.2722"..., 79}, {"\n", 1}], 2raservices[21523]: 17:01:23.272271 RaCreateSrvEntry: format error Service: http
) = 80

Any idea on why this would be?  Is my data processing flow incorrect?

Both clients are 3.0.7.8.

Thanks,

Matt

Re: raservices crashes when processing

Carter Bullard — 2013-05-16T12:37:23

Hey Dave,
Not sure that I follow your situation.  So you're having problems with the provided sig.std or one you created?

Carter

On May 15, 2013, at 8:59 PM, "Dave Edelman" <dedelman< at >iname.com> wrote:

Re: raservices crashes when processing

Carter Bullard — 2013-05-16T12:30:19

Hey Matt,
This is not a crash, which is a programatic unrecoverable fault.  You just didn't generate a good raservices() configuration file.

Try using the provided ./support/Config/sig.std, as a starting point for raservices(), to see if you can get good labels?

Are you sucessfully generating user data yet?

Carter

On May 15, 2013, at 5:55 PM, Matt Brown <matthewbrown< at >gmail.com> wrote:

Anomaly detection

Craig Merchant — 2013-05-16T06:29:38

Carter,

Thank you so much for your analysis of the APT1 threats.  Those emails were extremely educational.

I wanted to pick your brain about a couple of things related to anomaly detection...

We backhaul all remote offices through a central network that Argus can monitor.  Since those remote offices use DHCP, it's hard for Argus to build a reliable model of "normal" behavior by IP address.   And it can't see the MAC addresses of flows from those remote offices.  What's the best approach for anomaly detection in that kind of scenario?  Do you look at the producer/consumer metrics of the whole DHCP subnet and then compare individual flows against that baseline?

What kind of anomaly detection strategy do you use for environments where you have farms of different functional roles - web, MTA, database, etc.?  Do you recommend building a behavioral model by individual host or would you compare individual hosts against a baseline for that class of system?

Thanks.

Craig

Re: raservices crashes when processing

Dave Edelman — 2013-05-16T00:59:23

I had the same results so I looked at an example in the argus-client
distribution. /support/Config/std.sig has this header:
 
#  Services fingerprint file, generated by:
#      rauserdata -d16 -e encode32
#
#  with modifications.
#
 
The -e option is for regular expression pattern matching so I replaced it
with  -M printer='encode32' and I didn't use a -d parameter and the output
looked much closer to the sample. I can now get raservices to core dump
reliably with a segfault. 
 
When I use the sample signature file and I tell raservices to output the
label by using the -s +label:50 I do get a bunch of labels with the value
srv=xxxxxx
 
My data is already the output of a day's worth of flows run through
racluster.
 
raservices -r argusTestData_2013_05_09  -f std.sig -s +label:50
  
2013-05-09-01:28:18.230  *U          udp          10.1.1.50 61266     ->
10.1.1.10 disca*        1        0          148            0
INT
            srv=ndmp
2013-05-09-16:10:32.206  *U          udp          10.1.1.50 61389     ->
10.1.1.10 disca*        1        0          148            0
INT
            srv=ndmp
 
So I took the first 500 lines of my filter file and attempted to use that
rather than the full file
head -500 userdata.out > smallUesrData
raservices -r argusTestData_2013_05_09  -f smallUesrData  -s +label:50  |
head -30
              StartTime      Flgs  Proto            SrcAddr  Sport   Dir
DstAddr  Dport  SrcPkts  DstPkts     SrcBytes     DstBytes            State
               Label
2013-05-09-23:00:03.294              man                  0      0
0      0        0        0            0            0              STA
2013-05-09-00:00:01.993  * d         tcp          10.1.1.45 50899    <?>
10.1.1.10 micro*  9075967 13492977   1560166894  15748525452
CON
    srv=microsoft-ds
2013-05-09-00:00:28.890  * &         tcp          10.1.1.50 iad3     <?>
10.1.1.10 micro*  2034770  2870198    349463675   3595651910
CON
    srv=microsoft-ds
 
Now for the  binary search J  my filter file has 4316 lines.  If I use the
first 2048 I am fine, 2049 ends us with a segfault. I delete the first 100
lines of the original file and the first 2048 still works and 2049 still
dies. This could be a clue.
 
--Dave 
 
 
 
 
 
 
From: argus-info-bounces+dedelman=iname.com< at >lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com< at >lists.andrew.cmu.edu] On
Behalf Of Matt Brown
Sent: Wednesday, May 15, 2013 5:56 PM
To: argus-info< at >lists.andrew.cmu.edu
Subject: [ARGUS] raservices crashes when processing
 
Hello all,
 
I took a day's worth of argus data and, as suggested on
http://thread.gmane.org/gmane.network.argus/6228/focus=6234, I analyzed it
with rauserdata as follows:
 
#racluster -r * -w day.cache
#rauserdata -r day.cache > /tmp/raservices.conf
 
 
I then inspected /tmp/raservices.conf and it's messy (lots of single lines
with arbirary ports, likely sport maybe rpc?), but I figured why not give
raservices a shot:
 
#racluster -r * -w - | raservices -f raservices.conf
 
I receive the following error:
raservices[21315]: 16:51:00.727719 RaCreateSrvEntry: format error Service:
http
 
 
I straced the process, and I see no occurances of "http" in the output
(other than the writev()); the data appears to be read correctly until a
blank line is read [read(3, "", 4096)                       = 0]:
 
read(3, "\"  \n\nService: 48956             "..., 4096) = 4096
read(3, "...xxxxxx"  dst ="..., 4096) = 4096
read(3, "xxxx"..., 4096) = 689
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb766e000, 4096)                = 0
gettimeofday({1368651683, 272271}, NULL) = 0
time(NULL)                              = 1368651683
writev(2, [{"raservices[21523]: 17:01:23.2722"..., 79}, {"\n", 1}],
2raservices[21523]: 17:01:23.272271 RaCreateSrvEntry: format error Service:
http
) = 80
 
 
Any idea on why this would be?  Is my data processing flow incorrect?
 
 
Both clients are 3.0.7.8.
 
 
Thanks,
 
Matt

raservices crashes when processing

Matt Brown — 2013-05-15T21:55:32

Hello all,



I took a day's worth of argus data and, as suggested on
http://thread.gmane.org/gmane.network.argus/6228/focus=6234, I analyzed it
with rauserdata as follows:



#racluster -r * -w day.cache

#rauserdata -r day.cache > /tmp/raservices.conf





I then inspected /tmp/raservices.conf and it's messy (lots of single lines
with arbirary ports, likely sport maybe rpc?), but I figured why not give
raservices a shot:



#racluster -r * -w - | raservices -f raservices.conf



I receive the following error:

raservices[21315]: 16:51:00.727719 RaCreateSrvEntry: format error Service:
http





I straced the process, and I see no occurances of "http" in the output
(other than the writev()); the data appears to be read correctly until a
blank line is read [read(3, "", 4096)                       = 0]:



read(3, "\"  \n\nService: 48956             "..., 4096) = 4096

read(3, "...xxxxxx"  dst ="..., 4096) = 4096

read(3, "xxxx"..., 4096) = 689

read(3, "", 4096)                       = 0

close(3)                                = 0

munmap(0xb766e000, 4096)                = 0

gettimeofday({1368651683, 272271}, NULL) = 0

time(NULL)                              = 1368651683

writev(2, [{"raservices[21523]: 17:01:23.2722"..., 79}, {"\n", 1}],
2raservices[21523]: 17:01:23.272271 RaCreateSrvEntry: format error Service:
http

) = 80





Any idea on why this would be?  Is my data processing flow incorrect?





Both clients are 3.0.7.8.





Thanks,



Matt

Re: rastream 3.0.7.8, no suser duser

Carter Bullard — 2013-05-15T02:23:37

Hey Matt,
Try this included version of radump.c.  It should fix your bug.
Copy this into ./examples/radump, and recompile.

   % cp radump.c /path/to/your/clients/root/examples/radump
   % cd  /path/to/your/clients/root/examples/radump
   % make
   % ../../bin/radump -r argus.files -s suser

Carter 


Here is the patch, to see the changes.  Not many.....

osiris:radump carter$ p4 diff ...
==== //depot/argus/clients/examples/radump/radump.c#6 - /Users/carter/argus/clients/examples/radump/radump.c ====
298a299,301
308d310
<    if ((user = (struct ArgusDataStruct *)argus->dsrs[ind]) != NULL) {
314c316
<    }
---

Carter 



On May 14, 2013, at 12:09 PM, Carter Bullard <carter< at >qosient.com> wrote:

Re: rastream 3.0.7.8, no suser duser

Carter Bullard — 2013-05-14T16:09:49

Hey Matt,
If your radump() is having problems, send me a small file that has the records
that it dumps on, so I can fix it.  Please send the command line options you're
using, so I can replicate the bug.

radump() will try to decode the contents of the user data buffers, like tcpdump()
decodes packet data, so you can figure out what protocols are running on a
give flow.  We support a good number of protocol decodes, but not all of them,
so you maybe pushing an unknown protocol through radump() or you're not
capturing enough data to fully process a specific header type.

Not sure what radump() will do if there isn't user data to decode… It should be
fine……..

Most people will just printout the contents using ra(), which will simply print
the contents out in ascii.  Most are looking for URL's, DNS names, etc…
which are in ascii.

Carter

On May 14, 2013, at 12:00 PM, Matt Brown <matthewbrown< at >gmail.com> wrote:

Re: rastream 3.0.7.8, no suser duser

Carter Bullard — 2013-05-14T16:01:52

Hey Matt,
Dave is right on.  You have to turn on user data capture at record generation.
… so argus needs to be configured to do so.  You can do that with the -U nnnnn 
option, on the command line, or you can set it in your /etc/argus.conf file,
using the ARGUS_CAPTURE_DATA_LEN=nnn variable setting.

To test that this is the case, you can connect to every component in your
data flow system, and print out your field of interest, to see where they
are, and where they aren't.  If you get back to the component that is
suppose to generate the data element,  and your object is not there,
then, you'll know what needs to be fixed.

When you have an argus data flow system that has a bunch of argi,
being collected and processed by a set of radii, that are labeling,
filtering, stripping, and correlating data, you may need to " debug "
the data train, to figure out what is going on.  So connecting to any
and all at the same time is a helpful way to debug your system.

 Carter


On May 14, 2013, at 11:50 AM, "Dave Edelman" <dedelman< at >iname.com> wrote:

Re: rastream 3.0.7.8, no suser duser

Matt Brown — 2013-05-14T16:00:14

Thanks Dave.

I found a thread where carter suggested using radump to see suser and
duser.  I can see some ARP contents, but radump quickly segfaults. Why
is this?

I'm guessing rastream saves some amount of these fields by default?

I can not see these field contents with ra or racluster.  Does this make sense?


Thanks for the reply,

Matt


On May 14, 2013, at 11:51 AM, Dave Edelman <dedelman< at >iname.com> wrote: