After reading Tao of Network Security Monitoring, and other associated reading, I was all fired up to try getting some session data of my own. (Having a stepdaughter with her own internet-connected PC makes me leery too.)
So I tried argus from ports tree (2.0.6) and didn’t have much luck with it, although in retrospect I’m not sure that it just doesn’t like the tcpdump files I was passing it for some reason. I’ve been keeping all my documentation on this stuff in a private twiki, but I thought some of this information might be useful more generally, so I’m throwing it out onto the internets, Bejtlich-style.
I wasn’t having any luck with argus 2.0.6 – running it as a daemon it exited immediately, writing 256 bytes to the specified output file, and something like argus -r filename gave me no output.
So I recalled that Richard Bejitlich talked about the public beta being available. I grabbed them from ftp://ftp.qosient.com/dev/argus-3.0/ to /usr/local/src (it’s r25) along with the relevant md5 sums. Checked the checksums, good to go.
Then, start with the server. cd into its directory, and I see a configure script, so I’ll run it naively:
spacek# ./configure –prefix=/usr/local/argus-3.0
and it worked so I’ll just do a gmake install and see what happens – hoarked, because install doesn’t depend on build, apparently. gmake && gmake install. That worked, so repeat for argus-clients, and try it out. (Why did I use /usr/local/argus-3.0 for my install path? Call it a habit from my place of work.)
spacek# argus -d -i tun0 -w /nsm/argus/argus.out
spacek# argus: 14 Aug 06 20:32:42.405271 started
Except it didn’t actually daemonize, from dmesg:
tun0: promiscuous mode enabled
pid 33075 (argus), uid 0: exited on signal 11 (core dumped)
tun0: promiscuous mode disabled
So I did a bit of reading and experimented with setting ARGUSHOME (/nsm/argus) – no joy.
The README mentions libpcap 0.9.4 sources, but doesn’t specify if that version is required. So I installed it from ports. Ironically, I’d initially had the 0.9.4 port installed on this machine, but discovered that the argus 2.0.6 port won’t build properly if it’s installed, so I removed it. (Yes, I told package maintainer.)
It found and used the port version by preference automagically:
checking for local pcap library… checking for pcap.h… yes /usr/local/include
So that’s good. Following the example in the documentation, I did:
spacek# argus -P 561 -U128 -mRS 30 -w $ARGUSHOME/argus.out -d
and that worked just fine. Except it bound to my dc0 interface, which isn’t what I want. I have a PPOE connection, and dc0 is the interface through which the PPOE connection goes – it has no IP of its own, and experimenting with ra, all I saw was LLC and PPOE sessions – not at all what I wanted!
So I tried -i tun0 – and it dumped core again. Hm, maybe the problem all along was the tun0 interface? The tcpdump files I’d tried feeding argus earlier with -r had all been captured off that interface.
By process of elimination, I tried fxp0, and that looked more like it:
spacek# argus -P 561 -U128 -mRS 30 -w $ARGUSHOME/argus.out -d -i fxp0
spacek# ra -r ./argus.out
22:01:25.436695 tcp 192.168.10.1.ssh > 192.168.10.19.53661 1 1 162 66 CON
22:01:25.436897 tcp remoteserverip.imaps > 192.168.10.19.53765 265 146 381424 9991 CON
Only problem is, it’s showing the ssh connection from my laptop to the gateway – while I’m not opposed to monitoring internal traffic too, it’s not really what I want to start out doing. I’m sure I can block that with a bpf filter. I assume that this would see all internal traffic as well (laptop to my wife’s Windows PC, for instance), which I could probably eliminate with another bpf filter or else by removing promisc mode on the interface when argus starts up.
So I’ll play a bit more with it; time to start evangelizing at work too, now that I can actually build the thing and make it go.