Argus 2.0 User Payload Data
Carter Bullard
carter at qosient.com
Fri Jul 14 08:52:55 EDT 2000
Gentle people,
In Argus-2.0, I want to add an option to include
upper layer data into the flow output stream. The
purpose is two fold:
1. To facilitate service discovery.
2. To support covert channel discovery.
I have thought about two strategies for this. The
first is where we embed the support for user data
reporting directly into the Argus record itself,
by providing a section where we can put the first
32 bytes of user data in both directions.
This should give us protocol header and possibly
some actual request and response data.
The issue will be is 32 bytes enough or too much.
The second is to have a supplemental record that can
generated for flows of interest. Because we have
an internal Argus flow ID in the Argus-2.0 record,
we can now generate management records that refer
to this ID that contain supplemental information for
the normal flow data that is provided by Argus.
This type of feature could support a number of things
such as whole packet capture or processed user payload
reporting.
Is there an opinion? I'm leaning toward strategy
two, as I see it handling privacy concerns better
than strategy one. The basic Argus record is
designed to minimize privacy intrusion, and the
supplemental records that could possibly intrude
could be filtered out, encrypted, tossed etc...
Suggestions comments opinions are definitely welcome!
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 17A
New York, New York 10022
carter at qosient.com
Phone +1 212 813-9426
Fax +1 212 813-9426
More information about the argus
mailing list