Jed Haile
Nitro Data Systems jhaile@nitrodata.com

• What is an audit trail?
• What is Argus?
• Overview of IP audit trails
• Why are they useful?
• Using audit trails to monitor your network
• Detecting interesting network events using audit trails
• Enhancing IDS analysis using audit trails

• An IP audit trail is a collection of network flows across some point of a network.
• A network flow is an identifiable exchange of data between two endpoints on a network.
• Flows may be delineated by normal protocol (a
SYN replied to by an RST) or by timeouts.
• Flows may become exaggerated, as not all network traffic is readily broken into correct sessions with available information

• Written by Carter Bullard as part of a DoD contract while he was at Carnegie-Mellon’s
SEI
• Runs on unix
• The free version is available at http://www.qosient.com/argus
• A commercial version is under development by Qosient

• Argus uses a client server model:
– Data collection engine (Server): Monitors the network using libpcap, collects network data into audit trails. This engine can output the data to a file or to a socket.
– Argus client: Reads audit data from a file or from a socket. There are a number of clients available for various purposes.

•
•
•
•
•
•
•
• ra: reads Argus data and displays it on stdout ragator: aggregates flows in arbitrary fashions ramon: produce rmon style reports and tables racount: counts bytes and packets rasort: sorts Argus records raxml: display all fields in xml format
Others:ratop, ragrep, rahistogram, rasrvstats
Lacking: Database client!!

timestamp protocol src IP direction dst IP status
17 Apr 02 09:59:16 icmp 192.172.1.26 <-> 192.172.1.253 ECO
17 Apr 02 09:59:16 tcp 192.172.191.46.458 -> 207.68.162.24.80 FIN
17 Apr 02 09:59:16 icmp 192.172.1.25 <-> 192.172.1.253 ECO
17 Apr 02 09:59:16 tcp 192.18.221.25.119 -> 192.172.191.61.25 FIN
17 Apr 02 09:59:16 tcp 192.172.1.6.3562 -> 209.10.33.195.80 FIN
17 Apr 02 09:59:16 tcp 192.172.1.23.5936 -> 61.200.81.153.80 EST
17 Apr 02 09:59:16 tcp 192.172.191.46.4585 -> 64.4.30.24.80 FIN
17 Apr 02 09:59:17 tcp 192.172.191.46.4990 -> 12.12.162.203.80 RST
17 Apr 02 10:00:04 tcp 192.172.191.46.240 -> 216.33.240.24.80 RST
17 Apr 02 09:59:17 tcp 142.177.221.77.177 -> 192.172.18.27.634 RST
17 Apr 02 10:00:02 icmp 192.172.1.25 -> 192.172.1.253 ECO
17 Apr 02 10:00:02 icmp 129.82.45.220 -> 192.172.1.3 ECO
17 Apr 02 10:00:02 icmp 129.82.45.220 -> 192.172.1.3 ECO
17 Apr 02 10:00:02 udp 205.158.62.41.967 -> 192.172.191.6.53 TIM
17 Apr 02 10:00:02 icmp 129.82.45.220 -> 192.172.1.3 ECO
There is still a lot of other useful data we can capture!!

• Source IP address
• Destination IP address
• Source Port
• Destination Port
• Protocol
• Time of first packet
• Time of last packet
• Packets sent
• Bytes sent
• Packets received
• Bytes received
This set of data is surprisingly rich!

• This set of data can be analyzed to find network sessions, or sets of session that appear to be suspicious.
• In the case of a compromise, the audit trails can be examined to find out what else might have happened.
• Excellent tool for network policy monitoring. Makes finding unauthorized servers, or services, or backdoors much easier to detect.
• Much smaller than full packet captures, so more can be stored for longer.
• Well suited to statistical analysis

• A major problem with collecting network flows is the extreme rate and large quantity of records
• Fortunately network flows are readily aggregated
• All flows with the same source and destination addresses and ports can be collapsed to a single row, with a counter

• IP audit trails are an excellent tool for detecting network enumeration attempts.
• Snort’s spp_portscan2 uses network flows to detect portscans
• To detect portscanning simply count connections from external hosts to distinct hosts and ports on your network
• A well defined concept of home network versus external network is critical
• A portscan attempt which also correlates to an IDS alert, or to a session that is long or that moves some data might point to a successful compromise

• Long sessions are common on networks
• Due to the more stateless nature of udp and icmp, distinct network flows might be collapsed into a single network flow
• Long sessions to interesting ports, or inbound to unexpected locations, or with IDS alerts are the things we want to focus on
• Extensive correlation is critical to making the important long sessions stand out

• Inbound traffic to a host that is known to not exist
• A good way of detecting network enumeration attempts

• Sessions being initiated to high ports on your home network should always be viewed with suspicion
• There are exceptions (ftp traffic)
• By keeping “state” on your network’s flows you can eliminate many of the valid inbound high port connections
• High port traffic + IDS alert…

• High connection rates could point to DOS attempts, port scanning, auto rooter, P2P activity, worm activity, and more
• There are valid network activities which can generate high connection rates
• Correlation of high connection rates to other anomalous activities is what we need to look for

• Another example of could be bad, could be good activity
• High packet rates might indicate worm activity, portscanning, or other nastiness
• A sudden appearance of high packet rates linked to a previous session which had IDS alerts associated could indicate a host that has been successfully compromised

• A stepping stone is a computer that is used as an intermediate point between two other computers
• Stepping stones are frequently used by attackers to obscure their location/identity
• Stepping stones can be detected by correlation of on/off times between two network flows. This is prone to false positives.
• A better approach is to correlate on and off times of packet activity inside the flow, but requires finer granularity in the data than can be provided by argus.

• Using IP audit trails is a powerful enhancement to IDS
• IP audit trails also give new ways of looking for anomalous traffic, new services on your network, or for getting a better perspective on your networks operation
• There is lots to be done!