Qosient Argus – Analyzing DNS Queries Part 1

The prior post, Qosient Argus – Capturing DNS Queries, showed how to install and configure Qosient Argus on OpenBSD 6.4 to capture DNS queries. This post will build on that to show how to analyze that data for troubleshooting or incident response.

As previously mentioned, these techniques could be used to capture certificates when an encrypted channel (e.g. SSL/TLS) is being established.

Get more information about Argus here: https://www.qosient.com/argus/

Overview

This post builds off the prior post: Qosient Argus – Capturing DNS Queries where log files are stored:

Active Log = /var/argus/argus?.out
Archive Logs = /var/argus/archive/argus?.yyyy.MM.dd.HH.out

To review argus data the argus-clients package needs to be installed.

To decode the captured user data tshark must be installed as well.

Installation

# pkg_add -i argus-clients


quirks-3.16 signed on 2018-10-12T15:26:25Z
argus-clients-3.0.8.2p1:bzip2-1.0.6p9: ok
argus-clients-3.0.8.2p1:sqlite3-3.24.0p0: ok
argus-clients-3.0.8.2p1:libiconv-1.14p3: ok
argus-clients-3.0.8.2p1:gettext-0.19.8.1p1: ok
argus-clients-3.0.8.2p1:libffi-3.2.1p4: ok
argus-clients-3.0.8.2p1:python-2.7.15p0: ok
argus-clients-3.0.8.2p1:flow-tools-0.68.5.1p5: ok
argus-clients-3.0.8.2p1: ok
--- +python-2.7.15p0 -------------------
If you want to use this package as your default system python, as root
create symbolic links like so (overwriting any previous default):
ln -sf /usr/local/bin/python2.7 /usr/local/bin/python
ln -sf /usr/local/bin/python2.7-2to3 /usr/local/bin/2to3
ln -sf /usr/local/bin/python2.7-config /usr/local/bin/python-config
ln -sf /usr/local/bin/pydoc2.7 /usr/local/bin/pydoc

# pkg_add -i tshark


quirks-3.16 signed on 2018-10-12T15:26:25Z
tshark-2.6.3:lz4-1.8.3: ok
tshark-2.6.3:libgpg-error-1.32: ok
tshark-2.6.3:libgcrypt-1.8.3: ok
tshark-2.6.3:libssh-0.7.5: ok
tshark-2.6.3:bcg729-1.0.2: ok
tshark-2.6.3:jpeg-2.0.0v0: ok
tshark-2.6.3:tiff-4.0.9: ok
tshark-2.6.3:spandsp-0.0.6: ok
tshark-2.6.3:xz-5.2.4: ok
tshark-2.6.3:libxml-2.9.8p0: ok
tshark-2.6.3:nghttp2-1.33.0: ok
tshark-2.6.3:snappy-1.1.7: ok
tshark-2.6.3:libelf-0.8.13p4: ok
tshark-2.6.3:pcre-8.41: ok
tshark-2.6.3:glib2-2.56.3p0: ok
tshark-2.6.3:geolite2-country-20181003: ok
tshark-2.6.3:libmaxminddb-1.3.2p0: ok
tshark-2.6.3:libsmi-0.4.8p1: ok
tshark-2.6.3:libtasn1-4.13p0: ok
tshark-2.6.3:p11-kit-0.23.2p1: ok
tshark-2.6.3:libunistring-0.9.7: ok
tshark-2.6.3:gmp-6.1.2p1: ok
tshark-2.6.3:libnettle-3.4: ok
tshark-2.6.3:libidn2-2.0.0p0: ok
tshark-2.6.3:gnutls-3.5.19: ok
tshark-2.6.3:lua-5.2.4p1: ok
tshark-2.6.3:libcares-1.13.0: ok
tshark-2.6.3: ok
Running tags: ok
New and changed readme(s):
/usr/local/share/doc/pkg-readmes/glib2

Useful Switches

Time Range

The -t switch offers serious kung-fu one can use to really dial in on a specific time or cast a large net to find that needle in a haystack. Check out the following examples from the ra manual page.

Examples are:
              -t 14              specify the time range 2pm-3pm for today
              -t 15-23           specify the time range 3pm-11pm for today
              -t 2011            all records in the year 2011
              -t 2011/08         all records in Aug of the year 2011
              -t 2011/08-2011/10 all records in Aug, Sept, and Oct of the year 2011

              -t **.14           specify 2pm-3pm, every day this month
              -t 1270616652+2s   all records that span 10/04/07.01:04:12 EDT.
              -t 1999y1m23d10h   matches 10-11am on Jan, 23, 1999
              -t 10d*h*m15s      matches records that intersect the 15 sec,
                                 any minute, any hour, on the 10th of this month
              -t ****/11/23      all records in Nov 23rd, any year
              -t 23.11:10-14     11:10:00 - 2pm on the 23rd of this month
              -t -10m            matches 10 minutes before, to the present
              -t -1M+1d          matches the first day of the this month.
              -t -2h5m+5m        matches records that start before and end
                                 after the range starting 2 hours 5 minutes
                                 prior to the present, and lasting 5 minutes.

Output File/stdout

When chaining commands specify stdout by setting the -w switch to a hyphen: -w -

The following is a great example where racluster passes the resulting argus records to rasort.

racluster -m sco -r /tmp/ralabel.out -w - | rasort -m pkts -w /tmp/country.stats.out

Specify Fields

The -s switch has lots of data fields. While the following examples hit the high points, be sure to check the manual page and review the entire list.

Adding/Removing fields to the default display, use the format: +/-FieldName:Width

Add fields sappbytes and dappbytes to the default output with a column width of 5.
ra -r /var/argus/argus0.out -s +sappbytes:5 +dappbytes:5

Remove the flgs field from the default output.
ra -r /var/argus/argus0.out -s -flgs

Only show the fields: saddr sport daddr dport pkts spkts dpkts
ra -r /var/argus/argus0.out -s saddr sport daddr dport pkts spkts dpkts

Useful Fields

Application Bytes

These two fields greatly help looking at flows: sappbytes and dappbytes. As the name suggests, this field represents the payload where bytes used to support lower protocols (e.g. TCP/UDP, IP, etc.) are removed.

sappbytes = src -> dst application bytes.
dappbytes = dst -> src application bytes.

Country Code

Geolocation data isn’t natively available in argus records. Instead, ralabel or radium must be used in conjunction with geolocation data (e.g. ICANN, InterNIC, MaxMind GeoIP) to update fields in the argus record whether its in a file or a stream.

More information is available here: https://qosient.com/argus/geolocation.shtml

User Data

User data is stored in the following two fields. Argus will not log this data by default so it must be enabled in the configuration file. See the prior post for more information: Qosient Argus – Capturing DNS Queries.

suser = source user data buffer.
duser = destination user data buffer.

Use with caution. Capturing data will cause files to grow quite large.

Shared Switches

Argus client utilities share command line switches with ra which may be a useful alternative to chaining commands. Either way, spend time reviewing the ra manual page.

One thought on “Qosient Argus – Analyzing DNS Queries Part 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.