tsusen icon indicating copy to clipboard operation
tsusen copied to clipboard
verified publisher icon stamparm

[Support] 'src_port' column question

Open MikhailKasimov opened this issue 7 years ago • 2 comments

Hello!

  • Reading snippet from README.md:
proto dst_port dst_ip src_ip first_seen last_seen count
TCP 1080 192.165.63.181 222.186.56.107 1446188056 1446188056 1
TCP 1080 192.165.63.181 64.125.239.78 1446191096 1446191096 1
TCP 1081 192.165.63.181 111.248.100.185 1446175412 1446175412 1
TCP 1081 192.165.63.181 111.248.102.150 1446183374 1446183374 1
TCP 1081 192.165.63.181 36.225.254.129 1446170512 1446170512 1
...
...

where proto (e.g. in first entry this is TCP) represents the protocol that has been 
used by initiator coming from src_ip (e.g. in first entry this is 222.186.56.107) 
toward our <dst_ip:dst_port> (e.g. in first entry this is 192.165.63.181:1080) service, 
first_seen represents the time of (that day's first) connection attempt represented
in Unix timestamp format (e.g. in first entry this is 1446188056, 
which stands for Fri, 30 Oct 2015 06:54:16 GMT), last_seen represents (that day's last)
connection attempt (e.g. in first entry it's the same as the first_seen value), 
while the count holds a total number of connection attempts.

have a question: why src_port parameter isn't in use?

For example: I initiate ftp connection onto some ftp server in terminal and then do ls command.

tsusen displays some incoming connection on TCP, which seems not to be related to current ftp session.

ftp_conn

Q: How can I have info about src_port to be displayed in tsusen, like it is displayed in Maltrail app?

  • Here is an informative screenshot in README.md with multiple connections to different ports, e.g. TCP 22 (ssh).

http://i.imgur.com/EOAAWb2.png

Q: Does this list relate to port list:

# Reference: https://sixohthree.com/media/2003/06/26/lock_your_doors/portscan.txt
MISC_PORTS = { 17: "qotd", 53: "dns", 135: "dcom-rpc", 502: "modbus", 623: "ipmi", 1433: "mssql", 1723: "pptp", 1900: "upnp", 3128: "squid", 3389: "rdesktop", 5351: "nat-pmp", 5357: "wsdapi", 5631: "pc-anywhere", 5800: "vnc", 5900: "vnc", 5901: "vnc-1", 5902: "vnc-2", 5903: "vnc-3", 6379: "redis", 7547: "cwmp", 8118: "privoxy", 8338: "maltrail", 8339: "tsusen", 8443: "https-alt", 9200: "wap-wsp", 11211: "memcached", 17185: "vxworks", 27017: "mongo", 53413: "netis" }

from /tsusen/core/settings.py file?

And how can it be managed (e.g. to display ssh connection attempts from Internet only, from local network sources only)?

Thanks!

MikhailKasimov avatar May 15 '18 02:05 MikhailKasimov

tsusen should be used as a standalone silent box on the network/Internet. You put it for example of some VPS box and just let it collect the data about the incoming (intruding) connection attempts that nobody should initiate toward that box in the first place.

src_port is irrelevant from the architecture point of view as tsusen was design to collect ONLY data about what the pesky intruders want to connect to. We (or I when I designed it) should not care about the src_port as it brings unnecessary noise into the whole output.

Not sure about your example, but if set correctly, tsusen should give you results of all those intruding connection attempts toward some service port on your side (e.g. 21 - FTP, 80 - HTTP, etc.)

stamparm avatar May 15 '18 10:05 stamparm

tsusen should be used as a standalone silent box on the network/Internet. You put it for example of some VPS box and just let it collect the data about the incoming (intruding) connection attempts that nobody should initiate toward that box in the first place.

Totally agree with it.

src_port is irrelevant from the architecture point of view as tsusen was design to collect ONLY data about what the pesky intruders want to connect to. We (or I when I designed it) should not care about the src_port as it brings unnecessary noise into the whole output.

Desire to have noiseless data is OK, but personally, especially of using Maltrail, where src_ip/src_port and dst_ip/dst_portpairs are in use, src_port field is also intuitively expectable. If we collect data about what the pesky intruders want to connect to us, let us have info about them as full as possible. It is just intuitively desire of mine as an admin. This also can be OFF by default, but be manageable via tsusen.conf file like #SRC_PORT_TRACK=yes.

Not sure about your example, but if set correctly, tsusen should give you results of all those intruding connection attempts toward some service port on your side (e.g. 21 - FTP, 80 - HTTP, etc.)

Everything is default conf files, as it was cloned via git clone, no changes were done. Possibly, the reason is my pc is behind router. I can make a brief video with steps-to-reproduce algo, if needed.

P.S. Also have noted, tsusen is -3 hours of my local timezone (Kiev), instead of Maltrail, which uses correct time. Need a separate report to file?

MikhailKasimov avatar May 15 '18 12:05 MikhailKasimov