Argus 2.0 wishes

Neil Long neil.long at computing-services.oxford.ac.uk
Wed Mar 8 10:16:24 EST 2000 

Sorry - I trimmed out the original original

Neil

> -----Original Message----- 
> From: Neil Long [mailto:neil.long at computing-services.oxford.ac.uk] 
> Sent: Tuesday, March 07, 2000 1:09 PM 
> To: Bullard, Carter [NYPAR:DS33:EXCH] 
> Subject: Re: Argus 2.0 wishes 
> 
> 
> Morning! Interesting discussions. 
> 
> Pretty much agree with all that was said up to now. Couple of other 
> things I use Argus for which may be relevant (or I may be 
> just breaking 
> my back and should use something else) to the IDS role. 
> 
> Network flood events. 
> 
> Well there is no way any logger could cope if there was as full-blown 
> pipe-filling attack but I have had a lot of success when tracing a 
> local host which is contributing to a flood attack. Briefly:- 
> 
> A quick glance at the size of the argus data files (I roll once an 
> hour, killing+restarting the existing argus process as I found that 
> just mv'ing the file ended up with argus bloating out all swap) will 
> easily show that there is or was an attack going on - e.g. 
> typical file 
> size 20MB but pops to 100MB during floods. 
> 
> The problem is that I know then that there was an attack (either to or 
> from our network) but not when. This is the hard part - scrolling 
> through ra until one IP (dst) dominates and then noting the time. 
> I then typically start filtering out IP srcs or dsts until the data 
> file gets down to a reasonable size. Then a rasort and then start 
> looking for likely connects to a host at the time the flood started. 
> Usually I get lucky and find the machine and go from there. 
> 
> Ra already has a time range option (man page needs updating) 
> 
> So - argus would benefit from some way of tickertaping the flow volume 
> to a file that can be viewed some other way (MRTG for example) - to 
> indicate the hot spot time(s). 
> 
> The other headache is tracking high traffic usage - Peter's script 
> works fine except when the stream is almost 99% fragments then it is 
> more of a plod IP by IP using racount - but I get them in the end ;-) 
> 
> Argus is already got a lot of things I have never used yet so my wish 
> list is for divine enlightenment! 
> 
> Cheers 
> Neil 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000308/2acda697/attachment.html>

More information about the argus mailing list