The prior post, Qosient Argus – Capturing DNS Queries, showed how to install and configure Qosient Argus on OpenBSD 6.4 to capture DNS queries. This post will build on that to show how to analyze that data for troubleshooting or incident response.
As previously mentioned, these techniques could be used to capture certificates when an encrypted channel (e.g. SSL/TLS) is being established.
Get more information about Argus here: https://www.qosient.com/argus/
Overview
This post builds off the prior post: Qosient Argus – Capturing DNS Queries where log files are stored:
Active Log = /var/argus/argus?.out
Archive Logs = /var/argus/archive/argus?.yyyy.MM.dd.HH.out
To review argus data the argus-clients package needs to be installed.
To decode the captured user data tshark must be installed as well.
Installation
# pkg_add -i argus-clients
quirks-3.16 signed on 2018-10-12T15:26:25Z
argus-clients-3.0.8.2p1:bzip2-1.0.6p9: ok
argus-clients-3.0.8.2p1:sqlite3-3.24.0p0: ok
argus-clients-3.0.8.2p1:libiconv-1.14p3: ok
argus-clients-3.0.8.2p1:gettext-0.19.8.1p1: ok
argus-clients-3.0.8.2p1:libffi-3.2.1p4: ok
argus-clients-3.0.8.2p1:python-2.7.15p0: ok
argus-clients-3.0.8.2p1:flow-tools-0.68.5.1p5: ok
argus-clients-3.0.8.2p1: ok
--- +python-2.7.15p0 -------------------
If you want to use this package as your default system python, as root
create symbolic links like so (overwriting any previous default):
ln -sf /usr/local/bin/python2.7 /usr/local/bin/python
ln -sf /usr/local/bin/python2.7-2to3 /usr/local/bin/2to3
ln -sf /usr/local/bin/python2.7-config /usr/local/bin/python-config
ln -sf /usr/local/bin/pydoc2.7 /usr/local/bin/pydoc
# pkg_add -i tshark
quirks-3.16 signed on 2018-10-12T15:26:25Z
tshark-2.6.3:lz4-1.8.3: ok
tshark-2.6.3:libgpg-error-1.32: ok
tshark-2.6.3:libgcrypt-1.8.3: ok
tshark-2.6.3:libssh-0.7.5: ok
tshark-2.6.3:bcg729-1.0.2: ok
tshark-2.6.3:jpeg-2.0.0v0: ok
tshark-2.6.3:tiff-4.0.9: ok
tshark-2.6.3:spandsp-0.0.6: ok
tshark-2.6.3:xz-5.2.4: ok
tshark-2.6.3:libxml-2.9.8p0: ok
tshark-2.6.3:nghttp2-1.33.0: ok
tshark-2.6.3:snappy-1.1.7: ok
tshark-2.6.3:libelf-0.8.13p4: ok
tshark-2.6.3:pcre-8.41: ok
tshark-2.6.3:glib2-2.56.3p0: ok
tshark-2.6.3:geolite2-country-20181003: ok
tshark-2.6.3:libmaxminddb-1.3.2p0: ok
tshark-2.6.3:libsmi-0.4.8p1: ok
tshark-2.6.3:libtasn1-4.13p0: ok
tshark-2.6.3:p11-kit-0.23.2p1: ok
tshark-2.6.3:libunistring-0.9.7: ok
tshark-2.6.3:gmp-6.1.2p1: ok
tshark-2.6.3:libnettle-3.4: ok
tshark-2.6.3:libidn2-2.0.0p0: ok
tshark-2.6.3:gnutls-3.5.19: ok
tshark-2.6.3:lua-5.2.4p1: ok
tshark-2.6.3:libcares-1.13.0: ok
tshark-2.6.3: ok
Running tags: ok
New and changed readme(s):
/usr/local/share/doc/pkg-readmes/glib2
Useful Switches
Time Range
The -t switch offers serious kung-fu one can use to really dial in on a specific time or cast a large net to find that needle in a haystack. Check out the following examples from the ra manual page.
Examples are:
-t 14 specify the time range 2pm-3pm for today
-t 15-23 specify the time range 3pm-11pm for today
-t 2011 all records in the year 2011
-t 2011/08 all records in Aug of the year 2011
-t 2011/08-2011/10 all records in Aug, Sept, and Oct of the year 2011
-t **.14 specify 2pm-3pm, every day this month
-t 1270616652+2s all records that span 10/04/07.01:04:12 EDT.
-t 1999y1m23d10h matches 10-11am on Jan, 23, 1999
-t 10d*h*m15s matches records that intersect the 15 sec,
any minute, any hour, on the 10th of this month
-t ****/11/23 all records in Nov 23rd, any year
-t 23.11:10-14 11:10:00 - 2pm on the 23rd of this month
-t -10m matches 10 minutes before, to the present
-t -1M+1d matches the first day of the this month.
-t -2h5m+5m matches records that start before and end
after the range starting 2 hours 5 minutes
prior to the present, and lasting 5 minutes.
Output File/stdout
When chaining commands specify stdout by setting the -w switch to a hyphen: -w -
The following is a great example where racluster passes the resulting argus records to rasort.
racluster -m sco -r /tmp/ralabel.out -w - | rasort -m pkts -w /tmp/country.stats.out
Specify Fields
The -s switch has lots of data fields. While the following examples hit the high points, be sure to check the manual page and review the entire list.
Adding/Removing fields to the default display, use the format: +/-FieldName:Width
Add fields sappbytes and dappbytes to the default output with a column width of 5.
ra -r /var/argus/argus0.out -s +sappbytes:5 +dappbytes:5
Remove the flgs field from the default output.
ra -r /var/argus/argus0.out -s -flgs
Only show the fields: saddr sport daddr dport pkts spkts dpkts
ra -r /var/argus/argus0.out -s saddr sport daddr dport pkts spkts dpkts
Useful Fields
Application Bytes
These two fields greatly help looking at flows: sappbytes and dappbytes. As the name suggests, this field represents the payload where bytes used to support lower protocols (e.g. TCP/UDP, IP, etc.) are removed.
sappbytes = src -> dst application bytes.
dappbytes = dst -> src application bytes.
Country Code
Geolocation data isn’t natively available in argus records. Instead, ralabel or radium must be used in conjunction with geolocation data (e.g. ICANN, InterNIC, MaxMind GeoIP) to update fields in the argus record whether its in a file or a stream.
More information is available here: https://qosient.com/argus/geolocation.shtml
User Data
User data is stored in the following two fields. Argus will not log this data by default so it must be enabled in the configuration file. See the prior post for more information: Qosient Argus – Capturing DNS Queries.
suser = source user data buffer.
duser = destination user data buffer.
Use with caution. Capturing data will cause files to grow quite large.
Shared Switches
Argus client utilities share command line switches with ra which may be a useful alternative to chaining commands. Either way, spend time reviewing the ra manual page.
Security Tidbits 
One thought on “Qosient Argus – Analyzing DNS Queries Part 1”