Sunday, March 16, 2008

Argus 3: Audit Trail with HGWL

I have discussed about the Harimau Global Watchlist here, initially one of the reason Spoonfork developes HGWL is to put all the malicious IP addresses in one place so that it can be used with argus. In fact it can be used with any network flow technology but I'm going to show how you can use HGWL and argus 3 to perform trail auditing.

Obtaining the Harimau Global Watchlist -

shell>wget http://watchlist.security.org.my/all.txt

Generate IP addresses list from argus data(shit.arg3) -

shell>racluster -M rmon -m saddr -r shit.arg3 -s saddr - ip > IP.list

I use -M rmon to convert argus biflow data to uniflow, the source and destination doesn't matter now, with that I just need to specify it to show source address by using -s saddr and I will be able to obtain all the IP address. The -m saddr is used here to cluster source address field only so the same IP is only shown once.

Filtering out suspected IP addresses -

shell>for host in `cat IP.list`; \
do egrep $host all.txt >> Suspect.list; done

61.187.72.70, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
61.193.128.171, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
65.160.238.180, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
66.45.254.244, www.emergingthreats.net/rules/bleeding-rbn.rules, ET RBN Known Russian Business Network Monitored Domains (15), rbn, 2008/03/16 00:03:31
195.161.8.1,http://www.senderbase.org/home/detail_spam_source,senderbase-spam-source,2008/03/16 00:28:34
202.58.85.15, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
217.175.134.217, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
218.30.19.40, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
221.6.4.67, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08
221.237.161.186, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2008/03/16 00:00:08

Most of the time we start doing audit trail when IDS is giving us pointer. Now we can start querying the IP addresses in Suspect.list from argus data when there's matching and tracing its network activities. For example -

shell>ra -nr data.arg3 - host 195.161.8.1
StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
13:00:58.918872 e tcp 195.161.8.1.10424 -> 192.168.42.109.25 16 1559 RST
13:00:59.275570 e tcp 192.168.42.109.28457 -> 195.161.8.1.113 1 60 REQ
13:02:03.314641 e d tcp 195.161.8.1.24113 -> 192.168.42.109.25 8 698 RST
13:02:03.815631 e tcp 192.168.42.109.28493 -> 195.161.8.1.113 1 60 REQ
Output truncated ....

End for this.

The new client tool - rastream is included in argus 3 lately as argus data stream block processor, I'm thinking of using it to perform HGWL matching operation automatically once the argus data is generated so that we can catch near real time suspected host to watch possible ongoing malicious actions, maybe I will discuss about rastream in future blog post.

Updates: My friend scholar01 has shown me useful trick, instead of using for host in `cat IP.list`; do egrep $host all.txt >> Suspect.list; done, it is better to use fgrep -f IP.list all.txt as fgrep has advance engine for matching static strings at once. Thanks.

Enjoy (;])

2 comments:

Anonymous said...

In my testing fgrep does not seem to be very accurate. It seems to only match the first octet

владимир слуцкер said...

This blog seems very perfect and accurate enough to go through with a proper information. I am really impressed with an owner of this blog for sharing such matter.