Qosient Argus – Capturing DNS Queries

This post will show how Qosient Argus can be used to capture DNS queries passing in clear text over TCP or UDP port 53.

Another usage scenario of this functionality is to capture certificates when an encrypted channel is being established (e.g. HTTPS).

Argus

Qosient Argus is “the most widely used open source network flow system.” Having similarities with Netflow, JFlow, Sflow, IPDR, and YAF/SiLK; Argus can capture a limited amount of data from the stream.

For more information about Argus see: https://www.qosient.com/argus/

Overview

The target system is a gateway running OpenBSD 6.4 GENERIC.MP#364 amd64. DNS (Unbound) is running on the system and made available via an alias on the internal interface. Two argus daemons will be setup:

• argus0 – capture all flows traversing the gateway.
• argus1 – capture only DNS queries.

Installation

# pkg_add -i argus


quirks-3.16 signed on 2018-10-12T15:26:25Z
quirks-3.16: ok
argus-3.0.8.2p1: ok
The following new rcscripts were installed: /etc/rc.d/argus
See rcctl(8) for details.


Configuration

When capturing user data it’s best to create a separate daemon. This minimizes data collection since the ARGUS_FILTER variable can be used to target the desired user data.

Backup the original configuration since it contains much documentation.

mv /etc/argus.conf /etc/argus.conf.orig

Create configuration for argus0. It will be the default flow collector on the internal interface fxp1 which serves as the gateway.

vi /etc/argus0.conf

Copy/paste the following into /etc/argus0.conf

ARGUS_FLOW_TYPE="Bidirectional"
ARGUS_FLOW_KEY="CLASSIC_5_TUPLE+LAYER_2"
ARGUS_DAEMON=yes
ARGUS_MONITOR_ID="GTWY"
ARGUS_INTERFACE=ind:fxp1/"GTWY"
ARGUS_BIND_IP="10.1.1.1"
ARGUS_GO_PROMISCUOUS=no
ARGUS_SETUSER_ID=_argus
ARGUS_SETGROUP_ID=_argus
ARGUS_OUTPUT_FILE=/var/argus/argus0.out
ARGUS_FLOW_STATUS_INTERVAL=5
ARGUS_MAR_STATUS_INTERVAL=60
ARGUS_GENERATE_PACKET_SIZE=yes
ARGUS_GENERATE_MAC_DATA=yes
ARGUS_GENERATE_APPBYTE_METRIC=yes
ARGUS_TUNNEL_DISCOVERY="yes"
ARGUS_PACKET_CAPTURE_FILE="/var/argus/argus0.cap"
ARGUS_PACKET_CAPTURE_ON_ERROR="yes"

Create configuration for argus1. It will be the daemon for collecting DNS flows and queries. The last two lines are of most importance. One specifies the amount of data to capture while the last variable uses tcpdump syntax to specify what data to capture.

vi /etc/argus1.conf

Copy/paste the following into /etc/argus1.conf

ARGUS_FLOW_TYPE="Bidirectional"
ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
ARGUS_DAEMON=yes
ARGUS_MONITOR_ID="DNS"
ARGUS_INTERFACE=ind:fxp1/"DNS"
ARGUS_BIND_IP="10.1.1.5"
ARGUS_GO_PROMISCUOUS=no
ARGUS_SETUSER_ID=_argus
ARGUS_SETGROUP_ID=_argus
ARGUS_OUTPUT_FILE=/var/argus/argus1.out
ARGUS_FLOW_STATUS_INTERVAL=5
ARGUS_MAR_STATUS_INTERVAL=60
ARGUS_GENERATE_PACKET_SIZE=yes
ARGUS_GENERATE_MAC_DATA=yes
ARGUS_GENERATE_APPBYTE_METRIC=yes
ARGUS_TUNNEL_DISCOVERY="yes"
ARGUS_PACKET_CAPTURE_FILE="/var/argus/argus1.cap"
ARGUS_PACKET_CAPTURE_ON_ERROR="yes"
ARGUS_CAPTURE_DATA_LEN=1024
ARGUS_FILTER="host 10.1.1.5 and (tcp port 53 or udp port 53)"

Create daemons for each argus configuration and backup the original file.

# cp /etc/rc.d/argus /etc/rc.d/argus0
# cp /etc/rc.d/argus /etc/rc.d/argus1
# mv /etc/rc.d/argus /etc/rc.d/argus.orig

Enable the argus daemons.

# rcctl enable argus0
# rcctl enable argus1

Set flags for the argus daemons to use the appropriate configuration file.

# rcctl set argus0 flags -F /etc/argus0.conf
# rcctl set argus1 flags -F /etc/argus1.conf

Start argus daemons.

# rcctl start argus0
# rcctl start argus1

Log Rotation

The easiest method of log rotation is to move the file to an archive.

Create archive directory.

mkdir /var/argus/archive

Create the following crontab which runs every hour.

0 * * * * /bin/mv /var/argus/argus0.out /var/argus/archive/argus0.`date "+\%Y.\%m.\%d.\%H"`.out
0 * * * * /bin/mv /var/argus/argus1.out /var/argus/archive/argus1.`date "+\%Y.\%m.\%d.\%H"`.out