Argus 2.0 features
Russell Fulton
r.fulton at auckland.ac.nz
Tue Jul 4 23:19:53 EDT 2000
Hi All,
My main interest in argus is two fold, firstly as a tool for
detecting threatening or anomolous traffic and secondly as an audit
tool for forensic investigations.
The current version of argus is an very good for that latter purpose
but has significant weaknesses in the former role. In particular it
does not do a very good job of logging single packets that do not
conform to the normal tcp state transitions. Carter has done a great
deal over the last couple of years to improve argus in this respect
(Thanks!) but he has now run up against the storage limitations of the
current audit record.
So what I would like to initiate here is a discussion amongst those of
us involved in Misuse detection (for want of a better term).
The question is what new features do we want from Argus?
Here one idea of the top of my head:
1/ the ability to log tcp packets that are anomalous, e.g.
packets with illegal combinations of flags.
2/ the logging of more complete information for such packets (perhaps
the best way to do this would be to have a new record class for such
packets.
3/ When such packets are detected the should be written out immediately.
There are some cases where it is not straight forward to decide if a
packet is anomolous or not e.g. a packet with ACK of FIN set where
there is no established tcp stream. It may be a tcp-ping or FIN scan
or they might just be packets of a tcp stream that got delayed and the
stream has timed out. I think that I would like such packets flagged
in some way to aid easy extraction by ra and friends.
What do others think?
On the subject of language support, (dam, I seem to have lost Carters
original post on the subject). Nearly all my access to argus records is
via perl scripts which run ra with various filters. This works fine
most of the time but there are ocasions when I would have liked to have
a lower level access to the argus files from within perl (or more
sophisticated filtering) from ra. It would seem that the biggest cpu
overhead in ra is formatting the record for output, in a few cases I
have had to use ra to extract large numbers of (or all) records and this
is relatively slow. This is particularly so if you are doing
statistical investigations.
Lastly an aside -- I am about to buy a new machine which will be used
to store and analyse argus records. Anybody have any experience on
what factors limit the performance of ra and friends running on disk
based logs? Oh, BTW money, is tight ;-)
I thought of a fast and wide scsi disk and 128MB memory 500Mhz
processor. Not taking the standard IDE disks increases the price
considerably does anyone have a feeling for what difference this will
make to performance?
It will run either Linux or FreeBSD, again any opinions?
Is there anyway I can trade memory for disk reading performance on
these OSes.
Cheers and thanks,
Russell.
More information about the argus
mailing list