argus option review

[David Brumley]

> The biggest one is "-p".  Should we be in promiscuous mode by default?
> My bet is no.  Do we have any other votes/opinions?

My vote is to go into promisc mode by default.  

> 
> The next is the "-P" option.  This specifies the port that we will
> listen on for remote access.  You set this to 0 (zero) to turn this
> feature off.  Should we turn this on or off by default?  Should you
> have to explicitly turn on remote access by configuring the port
> number?   I'm leaning toward not turning it on unless you
> specify it, but then getting a common number, like 561, will not
> be easy.  (this may eliminate some surprises?)

I would leave it off by default. 

> Please send your opinions/attitude/reactions/flames/whatever.  It is
> important!


The above behaviors can be set in /etc/argus.conf, right?  So I think
of more importance is how you set them in the default /etc/argus.conf,
since most people are lazy (including me :)

Also, i've been thinking that perhaps the argus daemon should be
renamed to "argusd", as that seems to be common unix nomenclature.

Last, I have a question.  How many people have custom argus scripts
for detecting intrusions? I know I do, and so does russell.  Are there
others out there we could benefit from?

cheers,
-david
-- 
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security -   dbrumley at Stanford.EDU
Phone: +1-650-723-2445           WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121  PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
Fact: you can burn 150 caloria per hour banging your head against a wall