I have been reading
Real Digital Forensics and came across the recommended use of
Argus ("Audit Record Generation and Utilization System"). Argus is fast, wide and deep network analysis of pcap files. It took me some time to compile and start to make sense of it, although there is a
relevant and clever wiki page and a good collection of
recent articles explaining research, university and real world use. My discussion below concerns Argus auditing functionality.
Argus dumps your pcap file into a compressed argus formatted file which carries every piece of session information an inquisitive NSM forensic could possibly want from a network trace including time-slices, TCP options, anonymization, geolocation, and graphing . Here are some basic examples I walked myself through. The first step is to write the pcap file to an argus file using 'argus'.
/usr/local/sbin/argus -d -r 08Mar1142PST2010.in.1268074842 -w 08Mar1142PST2010.in.1268074842.argusNext I use 'ra' (read argus) to read the packet data. You can specify fields and bpf style filters. Here I specify (append) a filter ('ip proto 6')
for only TCP packets (e.g grep TCP /etc/protocols):
ra -n -r 08Mar1142PST2010.in.1268074842.argus - ip proto 6 | less19:08:09.660222 e s tcp 207.44.254.106.56813 -> 192.168.0.12.3246 3 186 REQ
19:12:01.707471 e tcp 204.236.155.168.12200 -> 192.168.0.12.3246 1 60 REQ
19:32:55.259094 e tcp 204.236.155.168.12200 -> 192.168.0.12.3246 1 60 REQ
19:33:44.995964 e tcp 221.192.199.35.12200 -> 192.168.0.12.8000 1 60 REQ
19:34:36.506022 e tcp 221.192.199.35.12200 -> 192.168.0.12.80 1 60 REQ
19:53:52.914418 e tcp 204.236.155.168.12200 -> 192.168.0.12.3246 1 60 REQ
Here I specify source address, destination port and connection state fields with the '-s' option and sort the result by source address and destination port before using 'uniq -c' to rank those fields.
ra -n -s saddr dport state -r 08Mar1142PST2010.in.1268074842.argus - ip proto 6 | sort -k1,2 -nr | uniq -c | sort -nr | less149 221.195.73.86 8000 REQ
100 192.168.0.12 80 ACC
81 222.45.112.59 2479 REQ
80 222.45.112.59 8085 REQ
80 222.45.112.59 3246 REQ
76 204.236.155.168 3246 REQ
I am using 'rasort' to something similar here but appending grep to filter only those source addresses with a connected state.
rasort -n -s saddr dport state -r 08Mar1142PST2010.in.1268074842.argus - ip proto 6 | sort -k1 -nr | uniq -c | sort -nr | grep CON | less14 74.125.19.19 19412 CON
14 74.125.19.17 20073 CON
13 85.13.200.108 19216 CON
13 85.13.200.108 19024 CON
13 74.125.19.83 19145 CON
13 74.125.19.83 18961 CON
I am not quite clear when to use 'rasort' versus 'ra' with sort and uniq appended. There is also 'ratop' . May take some time to sort out the best scripts for top talkers. Like 'ra', I can tell 'rasort' to include specific field (-s switch) and then specify the field(s) to sort by (-m switch). I am still using 'uniq -c | sort -r' .
rasort -s saddr dport proto bytes stat -m dport saddr -r 08Mar1142PST2010.in.1268074842.argus | grep -v -f file | uniq -c | sort -r | less 149 221.195.73.86 8000 tcp 60 REQ
81 222.45.112.59 2479 tcp 60 REQ
80 222.45.112.59 8085 tcp 60 REQ
80 222.45.112.59 3246 tcp 60 REQ
76 204.236.155.168 3246 tcp 60 REQ
76 222.45.112.59 9415 tcp 60 REQ
So here I apply a bpf filter for
dst port 22 and the '-z' to see TCPstate changes :
rasort -nn -s saddr dport proto bytes state -m dport saddr -z -r 08Mar1142PST2010.in.1268074842.argus - dst port 22 | uniq -c | sort -nr
3 125.141.195.190 22 6 62 s
3 114.202.247.235 22 6 62 s
3 58.217.255.103 22 6 62 s
3 97.163.189.33 22 6 62 s
2 94.158.184.183 22 6 62 s
2 61.151.246.140 22 6 62 s
Argus, baby!! Fast, wide and deep!!