argus-2.0.0e and status

[Carter Bullard]

Gentle people,
Another day another letter ;o) I've just now placed the
latest Argus-2.0.0e on the server. Please pick this
version up if you are doing any testing.

This version fixes some hanging problems between argus and
clients, and fixes a major problem with status management
records.  It also fixes quite a number of client record
printing issues, with both TCP and ICMP.

This version also finalizes issues with regard to time
reporting, as the client time formats and reporting, as
well as the aggregation code seems to be working well.
Test drive the "-t" option on your favorite argus
client ;o).

There is still the issue with regard to flex/bison, and
it seems that there are no major headaches with requiring
flex.  If there are no new objections, I'll put in 
the flex enforcement into ./configure today.

Ok, were starting to look a lot better.  Currently there
are 5 things that we need in order to get Argus-2.0
completely up to snuff with regard to Argus-1.x.

1. Client backward compatibility.
2. ICMP Unreachable/Redirect and Fragment support.
3. Application byte counts.
4. '-I' option to print the indicators.
5. MAC address reporting.

With regard to testing, the client filter compiler had
to be modified, and so there is a need to test it, which
opens it up to opinion/comment and improvement, so if
there is anything in particular that needs attention, I
would say that this is it.

And there are a number of things that need work in the
new stuff.

1. Arp is working well, but we need DHCP/BOOTP support.
2. The packet burst data is working well, but we need to
   print it out, so a new option for ra().
3. User data capture and reporting.
4. New clients.

Not bad.  I'm hoping that we can have Argus-2.0 out
by the end of October, just in time to hit the shelves
for Xmas ;o)

Thanks for all the attention and effort!!!!!!

Carter





-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Carter Bullard
Sent: Tuesday, September 12, 2000 8:05 AM
To: chas at freeworks.com; 'Russell Fulton'; 'argus'
Subject: RE: argus and snort ?


Hey Chas,
   Two downsizes, one big one small.

1. Probe performance is basically dependant
on packet snap length and the more user data
you want the bigger every captured packet needs
to be.  This is big downsize.

2. Bigger user data capture, bigger argus records.
This is small downsize.
 
   I was thinking of two mods of operation.
The first would capture a fixed length of
user data regardless, in order to do various
protocol validations.  This would be the minimum
data size needed and would be recommended.

   The second would be to capture longer chunks
for applications of interest.  This is where
the URL capture comes in, but we still don't
want to do full packet capture, so, what, 
256 may be the right number here?  This would
optional.

Carter

-----Original Message-----
From: Chas DiFatta [mailto:chas at freeworks.com]
Sent: Tuesday, September 12, 2000 12:21 AM
To: carter at qosient.com; 'Russell Fulton'; 'argus'
Subject: RE: argus and snort ?


What is the down side of capturing over 64 bytes?  64
is a bare minimum for long posts?  I vote for 128.

	...cd

> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com]
> Sent: Monday, September 11, 2000 6:59 PM
> To: chas at freeworks.com; 'Russell Fulton'; 'argus'
> Subject: RE: argus and snort ?
> 
> 
> Hey Guys,
>    I see Argus as having two HUGE benefits.  Auditing
> all transactions, and generating a manageable persistent
> store.
> 
>    The persistent store makes historical analysis/discovery
> possible where no other tool allows for this.  Since
> you can't go back and run another tool with a better
> signature,  if Argus is well done, then we can go
> back and find out if anyone used that newly discovered
> attack on us last year.
> 
>    Argus will not be able to replace any dedicated near
> real time signature peeler, but if there is anything that
> we can do to make historical discovery a part of our tool,
> then we've got something.
> 
>    So how much data do we need to capture?  For your
> sgi telnet attack, can we detect it in less than 64 bytes
> of source user data?  Do we need response data?  User
> logins ids are easily captured in the first 32 bytes.
> Most hostnames are less than 64 bytes.
> 
>    What do you think?
> 
> Carter
> 
> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Chas DiFatta
> Sent: Monday, September 11, 2000 9:04 PM
> To: carter at qosient.com; 'Russell Fulton'; 'argus'
> Subject: RE: argus and snort ?
> 
> 
> We really haven't played with the "trigger-on-this-bad-thing"
> from a network security perspective, but we find it very useful
> for network application debugging.
> 
> 	I.e. capture the beginning of an http GET to a specific
> 	server so we can read the whole request.  We can then
> 	correlate the time of a problem with argus and snort
> 	and then diagnose.
> 
> If argus captured (via a trigger) all or some of the data portion
> of the tcp session, it would be EXTREMELY useful.  Or (wishing cap
> on now) the first x packets from a connectionless session (udp).
> 
> I want to make it clear that in application debugging, seeing what's
> going over the wire is very important and most of the time, you
> don't need to see that much.  Example, why is this mail server
> always giving an error?
> 
> 	reject=550 <someone at x.org>... Relaying denied
> 
> >From an network management perspective, it adds another dimension
> to the information that Argus provides.
> 
> Thoughts?
> 
> 	...cd
>  
> > -----Original Message-----
> > From: owner-argus at lists.andrew.cmu.edu
> > [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Carter Bullard
> > Sent: Monday, September 11, 2000 4:41 PM
> > To: 'Russell Fulton'; 'argus'
> > Subject: RE: argus and snort ?
> > 
> > 
> > 
> > So what is snort doing for you guys that is helping?
> > Is there some nugget of goodness that we can add to
> > argus that will give the same info?
> > 
> > Carter
> > 
> > -----Original Message-----
> > From: owner-argus at lists.andrew.cmu.edu
> > [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
> > Sent: Monday, September 11, 2000 5:45 PM
> > To: argus
> > Subject: Re: argus and snort ?
> > 
> > 
> > Perhaps I should have said that I am monitoring an 10Mbps ethernet 
> > running at around 3Mbps in one 'direction' (inbound) and 1 Mbps in the 
> > other. (yes I do know that ethernet does not have any sense of 
> > direction ;-)  The box is an IBM Ativa with a 500Mhz processor and 
> > 128MB ram.
> > 
> > Top shows Snort using about 8% of CPU and the two copies of argus are 
> > down below 1%.
> > 
> > We will soon go to 100Mbps on the DMZ and our data rates are likely to 
> > go up steeply when the Southern Cross fiber finally gets commissioned 
> > later this year.  We have been promised that prices will fall sharply 
> > -- I'm not holding my breath though...
> > 
> > Cheers.
> > 
> > 
>