Using argus audit trails to enhance ids analysis
1 / 18

Using Argus Audit Trails to Enhance IDS Analysis - PowerPoint PPT Presentation

  • Uploaded on

Using Argus Audit Trails to Enhance IDS Analysis. Jed Haile Nitro Data Systems [email protected] Overview. What is an audit trail? What is Argus? Overview of IP audit trails Why are they useful? Using audit trails to monitor your network

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Using Argus Audit Trails to Enhance IDS Analysis' - samira

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Using argus audit trails to enhance ids analysis

Using Argus Audit Trailsto Enhance IDS Analysis

Jed Haile

Nitro Data Systems

[email protected]


  • What is an audit trail?

  • What is Argus?

  • Overview of IP audit trails

  • Why are they useful?

  • Using audit trails to monitor your network

  • Detecting interesting network events using audit trails

  • Enhancing IDS analysis using audit trails

What is an ip audit trail
What is an IP Audit Trail?

  • An IP audit trail is a collection of network flows across some point of a network.

  • A network flow is an identifiable exchange of data between two endpoints on a network.

  • Flows may be delineated by normal protocol (a SYN replied to by an RST) or by timeouts.

  • Flows may become exaggerated, as not all network traffic is readily broken into correct sessions with available information

What is argus
What is Argus?

  • Written by Carter Bullard as part of a DoD contract while he was at Carnegie-Mellon’s SEI

  • Runs on unix

  • The free version is available at

  • A commercial version is under development by Qosient

More about argus
More about Argus

  • Argus uses a client server model:

    • Data collection engine (Server): Monitors the network using libpcap, collects network data into audit trails. This engine can output the data to a file or to a socket.

    • Argus client: Reads audit data from a file or from a socket. There are a number of clients available for various purposes.

Argus clients
Argus Clients

  • ra: reads Argus data and displays it on stdout

  • ragator: aggregates flows in arbitrary fashions

  • ramon: produce rmon style reports and tables

  • racount: counts bytes and packets

  • rasort: sorts Argus records

  • raxml: display all fields in xml format

  • Others: ratop, ragrep, rahistogram, rasrvstats

  • Lacking: Database client!!

Default ra output
Default RA output

timestamp protocol src IP direction dst IP status

17 Apr 02 09:59:16 icmp <-> ECO

17 Apr 02 09:59:16 tcp -> FIN

17 Apr 02 09:59:16 icmp <-> ECO

17 Apr 02 09:59:16 tcp -> FIN

17 Apr 02 09:59:16 tcp -> FIN

17 Apr 02 09:59:16 tcp -> EST

17 Apr 02 09:59:16 tcp -> FIN

17 Apr 02 09:59:17 tcp -> RST

17 Apr 02 10:00:04 tcp -> RST

17 Apr 02 09:59:17 tcp -> RST

17 Apr 02 10:00:02 icmp -> ECO

17 Apr 02 10:00:02 icmp -> ECO

17 Apr 02 10:00:02 icmp -> ECO

17 Apr 02 10:00:02 udp -> TIM

17 Apr 02 10:00:02 icmp -> ECO

There is still a lot of other useful data we can capture!!

Data model
Data Model

  • Source IP address

  • Destination IP address

  • Source Port

  • Destination Port

  • Protocol

  • Time of first packet

  • Time of last packet

  • Packets sent

  • Bytes sent

  • Packets received

  • Bytes received

  • This set of data is surprisingly rich!

Why are these useful
Why are these useful?

  • This set of data can be analyzed to find network sessions, or sets of session that appear to be suspicious.

  • In the case of a compromise, the audit trails can be examined to find out what else might have happened.

  • Excellent tool for network policy monitoring. Makes finding unauthorized servers, or services, or backdoors much easier to detect.

  • Much smaller than full packet captures, so more can be stored for longer.

  • Well suited to statistical analysis

Reducing record counts
Reducing Record Counts

  • A major problem with collecting network flows is the extreme rate and large quantity of records

  • Fortunately network flows are readily aggregated

  • All flows with the same source and destination addresses and ports can be collapsed to a single row, with a counter

Portscan detection
Portscan Detection

  • IP audit trails are an excellent tool for detecting network enumeration attempts.

  • Snort’s spp_portscan2 uses network flows to detect portscans

  • To detect portscanning simply count connections from external hosts to distinct hosts and ports on your network

  • A well defined concept of home network versus external network is critical

  • A portscan attempt which also correlates to an IDS alert, or to a session that is long or that moves some data might point to a successful compromise

Long sessions
Long Sessions

  • Long sessions are common on networks

  • Due to the more stateless nature of udp and icmp, distinct network flows might be collapsed into a single network flow

  • Long sessions to interesting ports, or inbound to unexpected locations, or with IDS alerts are the things we want to focus on

  • Extensive correlation is critical to making the important long sessions stand out

Traffic to nonexistent hosts
Traffic to Nonexistent Hosts

  • Inbound traffic to a host that is known to not exist

  • A good way of detecting network enumeration attempts

Traffic to high ports
Traffic to High Ports

  • Sessions being initiated to high ports on your home network should always be viewed with suspicion

  • There are exceptions (ftp traffic)

  • By keeping “state” on your network’s flows you can eliminate many of the valid inbound high port connections

  • High port traffic + IDS alert…

High connection rate
High Connection Rate

  • High connection rates could point to DOS attempts, port scanning, auto rooter, P2P activity, worm activity, and more

  • There are valid network activities which can generate high connection rates

  • Correlation of high connection rates to other anomalous activities is what we need to look for

High packet rate
High Packet Rate

  • Another example of could be bad, could be good activity

  • High packet rates might indicate worm activity, portscanning, or other nastiness

  • A sudden appearance of high packet rates linked to a previous session which had IDS alerts associated could indicate a host that has been successfully compromised

Stepping stone detection
Stepping Stone Detection

  • A stepping stone is a computer that is used as an intermediate point between two other computers

  • Stepping stones are frequently used by attackers to obscure their location/identity

  • Stepping stones can be detected by correlation of on/off times between two network flows. This is prone to false positives.

  • A better approach is to correlate on and off times of packet activity inside the flow, but requires finer granularity in the data than can be provided by argus.


  • Using IP audit trails is a powerful enhancement to IDS

  • IP audit trails also give new ways of looking for anomalous traffic, new services on your network, or for getting a better perspective on your networks operation

  • There is lots to be done!