Argus 2.0 wishes

Carter Bullard cbullard at nortelnetworks.com
Mon Mar 6 18:44:08 EST 2000 

Hey Russell,
  Thanks for the reply!!  I'm of the opinion that network
based deep packet strategies are theoretically flawed,
and so I'm not one to try to extend Argus to provide
packet oriented functions.  At least while Argus is an
academic/research oriented project ;o)

On the security front:

  Argus like data has a lot of uses, but security policy
validation is a major one that I think many sites find
very useful.  We have the Cisco filter support in ra()
now, but I'm sure that many sites don't exploit it to
the fullest.  One of the primary uses that I had envisoned,
was that when sites want to change their security policies,
or their security enforcement strategies, like modifying
their router filters, they could run their archived 
Argus data through the new filters to test them.  I use
to do this when I did that sort of thing, and it worked
really well.  Any ideas on whether enhancing this capability
would be useful?

  I put the fragment support in Argus to support covert
channel detection, since fragment channels are pretty
straight forward to setup and extremely difficult for
some to detect and block.  Not much action in this area
yet, but I expect that this will increase with time.
Any opinions as to whether covert channel detection is
something Argus should expand on?  Simple stuff, like
Src/Dst packet ratio variations, can be used to detect
covert channels on well known application ports, like
SMTP.  So,..., would application profiling support 
be something to add?

  Regarding better reporting of anomalous TCP traffic,
Argus already provides detection support for a number of
TCP attack strategies, some that have yet to appear on
the scene.  Argus detail mode supports detecting
hosts that are susceptible to TCP sequence number
prediction, and I'm not aware of many other tools that
do this.  Example programs would probably be useful here.

  Flexible data aggregation is another area that should
be discussed, to support better archival and data
management.  Any opinions on this front?


Carter
  



> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
> Sent: Monday, March 06, 2000 6:01 PM
> To: argus at lists.andrew.cmu.edu
> Subject: Argus 2.0 wishes
> 
> 
> 
> On Mon, 6 Mar 2000 10:03:18 -0800 Carter Bullard 
> <cbullard at nortelnetworks.com> wrote:
> 
> >    There aren't too many illegal TCP bit combinations,
> > and this logic would be very useful, however, the Argus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000306/8aed6a88/attachment.html>

More information about the argus mailing list