argus option review

Carter Bullard carter at qosient.com
Thu Jan 25 22:15:09 EST 2001 

Hey William,
   50-75M every 15 minutes?  Seems like a good volume.  You'll
want to pay some attention to ragator() to merge some of those
records together.  This is something that I'm interested in
working on now that argus is stable.  Blowing away the source
ports of tcp flows can sometimes provide a HUGE reduction
in argus records, and still maintain all the info you wanted.

    Seems like the vote so far is promiscuous on, port off.
Response data off, jitter data off, user data off.

  So what kind of situation are you monitoring.  DMZ?, gig
ethernet?  Dual interfaces? Lots of traffic, lots of flows?
What kind of hardware are you using?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426





-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of William Setzer
Sent: Thursday, January 25, 2001 9:04 PM
To: argus at lists.andrew.cmu.edu
Subject: Re: argus option review


: 
: The biggest one is "-p".  Should we be in promiscuous mode by default?
: My bet is no.  Do we have any other votes/opinions?

Actually, I can't imagine using argus in anything other than
promiscuous mode.

: The next is the "-P" option.  This specifies the port that we will
: listen on for remote access.  You set this to 0 (zero) to turn this
: feature off.  Should we turn this on or off by default?

Hmm.  I seem to be zero for two. :)  I think the port number should
be off by default, for security reasons.  (If a port's not on, it
can't be exploited.)

: The "-J" data is not a problem but it will make the output records
: 16-32 bytes larger.  My guess on this on is off by default?

I agree, but this is purely a personal preference.  My logs already
grow to 50-75M every 15 minutes, and a large increase would force
me to buy bigger disks.  Not a really good reason to justify
something. :)


William
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2876 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010125/de61fee7/attachment.bin>

More information about the argus mailing list