FWD: argus-clients informal survey
Chris Newton
newton at unb.ca
Wed Jun 20 22:53:45 EDT 2001
Hi Carter, here are my coments.
First, I think you are doing great work!
Second: I was quite happy to see the ratop addition, but I believe, with
that, you have provided quite an array of methods for retrieving information
from the argus log files. With a well defined interface to the argus
structures, possibly a perl module, and 1 client that could print out anything
in the log file, I'd say that is very complete. It gives everyone the tools
they need to do what ever analysis they need/want to do.
I know your interest is in security, and others in performance of the
monitoring capability. Having said that, _my_ vote (which is obviously
strongly affected by my needs/interests) would be in seeing more information
added to argus that it can track, and scaling changes to move argus up so that
it is the hardware limits we run into, not software.
Here are some ideas along those lines, off the top of my head:
a) the 'step down' ideas we all talked about a couple months back, where
when argus is seeing a DoS attack (or something), it starts 'doing less'. Ie:
says, forget the interpacket jitter information, forget the super accurate
duration information...lets just get this stuff accounted for.
b) when a DDoS type attack is seen, understand it, and not try to generate a
flow record for each remote IP seen, when attacking a certain host on a
network... tell argus to generate an aggregated record *at the argus*.
c) when a standard DoS attack is seen, which you can know by the unique
signature (flags/status) and sheer number of packets, do aggregation at the
argus... dont tryand generate a flow (and, all the flow info that goes along
with it).
d) allow for *at the argus* filtering. IE: you connect a sensor to link.
you then connect two remote clients to the argus server. It would be nice if
the clients could tell argus what their filters are... and, argus only
delivers across the network, the flows that they asked for. this way, a
LARGE, powerful sensor handling a heavy link, could divide out the analysis of
the flows to a number of boxes.
e) allow for options to argus, to tell it what information to try to record.
For instance, maybe you want info x, y, and z. bit, not a, b and c. To give
argus the most breathing room on larger/abused (thts me :)) links, we could
tell it up front what work it shouldnt even try to do.
Hmm, thats all for now... If I think of anything else ... :)
Chris
>===== Original Message From "Carter Bullard" <carter at qosient.com> =====
Gentle people,
Just wanted to get some feedback on the
argus-clients package. If you've had any chance
to look at it, could you send your first impression,
comments? If its, "got no time" that's fine. If its
"I can't understand what's going on because there
are no man pages", that's fine. If its, "I wish
you would work on something else" then send that
ASAP. Any comments would be well received. I'm
trying to figure out where to apply limited
resources.
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
Chris Newton, Systems Analyst
Computing Services, University of New Brunswick
newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)
"The best way to have a good idea is to have a lot of ideas."
Linus Pauling (1901 - 1994) US chemist
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
Chris Newton, Systems Analyst
Computing Services, University of New Brunswick
newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)
"The best way to have a good idea is to have a lot of ideas."
Linus Pauling (1901 - 1994) US chemist
More information about the argus
mailing list