Monday, December 04, 2006

Ragrep

I wonder why I put ragrep as a title, but I think this may help someone in case they are googling about the usabilities of ragrep, I hardly find any when I tried googling. So what's the use of ragrep, I think you should have idea by looking at the "name". Heard about flowgrep or ngrep, while ngrep is packet based and flowgrep is flow based which introduces more accuracies, argus offers you the tools that doing about the same thing.

While I have done lots of flow analysis using argus client, I don't do much on the payload wise, however you can actually do so with argus tool - ragrep. In order to use ragrep, you will have to capture user data bytes, this can generate expensive argus data if you are running on high speed network, but it is not bad idea to use ragrep if you have stored full content data, or at least it can tell you whether certain commands(http/ftp commands/codes) have been successfully executed in your network by just storing first 10-15 data bytes of connection. To capture user data bytes, you will have to configure argus with the following variables in argus.conf -

ARGUS_CAPTURE_DATA_LEN=15

Or you can run argus with -U option, this is good when you want to perform offline analysis with generic pcap files. I usually do this -

shell>argus -U 15 -r test.pcap -w test.argus

Once you have data in argus format, you can check the ftp data connection close with transfer complete by running this -

shell>ragrep -i -e '226 Transfer' -r test.argus -nn

To increase the accuracy of it, you can examine the tcp state changes with -z option and checking source/destination bytes as well as duration of the flow. Racluster can be used to aggregate the record with the same pair of src/dst ip/port to avoid confusion with specific flow status interval timer. Remember smtp and ftp can be tricky to look at in the flow record when there's large bulk of data transfer thus it's good to aggregate this kind of flow record.

Enjoy (;])

2 comments:

james said...

Hi there. Im not really a geeky guy like you. but do you have tutorials or articles about programming languages? or CMS? like joomla?

James said...

I didn't know you can do this with argus tool - but thanks for the info, will try it.