Wednesday, January 11, 2012

Argus 3: Some hardly used scripts

There are couple of perl scripts come with argus 3 to process argus data, in case you haven't used them, do try them out, I will just show the result generated by those scripts -

shell>perl ./raips -r ~/pcap-repo/anubis.arg3
187.45.196.28
187.45.241.156
192.168.0.1
192.168.0.2

Raips will generate all unique IP addresses that are seen in the argus data.

shell>perl ./rahosts -r ~/pcap-repo/anubis.arg3
192.168.0.2: (3) 187.45.196.28, 187.45.241.156, 192.168.0.1

Rahosts will generate host report, and telling you the hosts that initiate network connection(transmitter) and also destination hosts that are probed(receiver), you may get an array of IP addresses in the same network if it is network scanning or worm outbreak activity.

shell>perl ./raports -r ~/pcap-repo/anubis.arg3
187.45.241.156 tcp: (1) 80
192.168.0.1 udp: (1) 53
187.45.196.28 tcp: (1) 1433

Raports will generate the port report, however only on server side, which means those ports that are probed by any host.

If you are not satisfied with the result generated by those scripts, you are free to modify them to fit your needs, basically Carter is just demonstrating what you can do with argus data using some scripting capabilities.

Cheers (;])

3 comments:

Raphael CS said...

Hi,
I've been looking for a answer for how Argus recognizes the forward and the reverse direction of flows based in RFC 5103 ("Direction Assignment").
http://tools.ietf.org/html/rfc5103#page-8
Which one of three methods Argus use?
* I'm sorry for the english

Matt said...

Hello CS,

Just discovered argus last week (I'm a bit late the party, huh?).

I really would like to process the data to be presented via the web using jscript based visualization renderers. Have you ever attempted this?


Thanks for your posts,

Matt

C.S.Lee said...

hi Raphael,

Argus is developed based on IPPM/RTFM Framework, so you can google IETF RTFM to get the info regarding the flow directional assignment.

hi Matt,

I never attempt this, but I have visualize argus data using both afterglow and picviz. I supposed you can do that with a lot of visualization tools around including jscript based.