argus-clients informal survey

Yotam Rubin yotam at makif.omer.k12.il
Thu Jun 21 16:34:42 EDT 2001


Greetings,

	I can tell you what I do with argus on my network. Argus has replaced
several slightly defunct tools I have used in the past.

 * I use argus to create daily reports about suspicious traffic. How does one
   classify suspicious traffic? Suspicious is usually destined ports that no
   one from beyond my network should reach, this includes all ports besides
   maybe 80, 25, 113, my ssh port and other ports I failed to mention.
   The results I receive are approximately 95% accurate. The margin of error
   is usually caused by some legitimate sources which port scan my servers.
   Yes, there are other 'connection loggers' out there, but from what I've seen
   they all use raw sockets, which do not receive everything and they're not
   as versatile as argus.

 * Argus is also used to measure the activity of my dialup users. I use argus 
   to generate a report about the number of bytes originating to and from my 
   dialup systems. There was once a question about bandwidth monitoring in the 
   Israeli Linux mailing list, I recommended him to use argus; I have not 
   received further input from that person.

  Argus is an extremely versatile tool, it can replace many existing tools which
perform different tasks (Bandwidth monitoring, connection logging, etc...)
As a result of its complexity, one nearly always requires to write a script
which parses and cleans the original ra* output; I'm sure it would ease the 
lives of many if ra* would allow manipulation of output format, something like:
ra -r argus.log -o '%t: Connection attempt from %s to %d  - syn and dst port \ 
12345. %t will be replaced with the time field, %s will be expanded to the 
source address and %d represents the destination address. This would greatly
enhance the flexibility and readability of ra output.

	Regards, Yotam Rubin


On Thu, Jun 21, 2001 at 01:22:12PM -0400, Desmond Irvine wrote:
> Carter Bullard wrote:
>  
> <snip> 
> 
> > I'm pretty much of the opinion that the awareness of Argus
> > and its ability to solve real problems for people is where
> > the work needs to be done.  Although we've got QoSient,
> > Debian, and FreeBSD distributing Argus now, we don't have a
> > HUGE following, like I think we could have.  Its hard to
> > remember that Argus-2.0 has really only been out for 3 months
> > now, but Argus should be getting more attention than it has.
> 
> <snip> 
> 
> > I believe that I need to be doing what is needed to draw
> > more people into Argus, to use it to solve their problems.
> > I think that means more applications, rather than to
> > continue to tweak the data generation itself.
> > 
> > Any opinions?
> 
> As a somewhat newbie Argus user and lurker on the list I'd like to throw
> in my two cents.  I'm using Argus right now, but only to the bare
> minimum in that when I have something to investigate I go through my
> argus logs and look for specific things using ra.  I'd like to go beyond
> this and do a lot more pro-active monitoring, but I'm not sure where to
> start.  Most of the documents I've seen on the net about using Argus
> refer to older versions of Argus with different client programs
> (raservices).  For Argus to become more attractive I personally think
> there need to be more "cookbook" examples of how to make use of it. 
> Argus gives us an overwhelming amount of data to play with, but there
> don't seem to be a lot of real world examples available of what can be
> done with it.
> 
> Desmond.
> 
> -- 
> Desmond Irvine                Security Analyst, Information Technology
> Sheridan College              Phone: 905-845-9430 x2035
> 1430 Trafalgar Road           Fax: 905-815-4011
> Oakville, ON  L6H 2L1         EMail: desmond.irvine at sheridanc.on.ca



More information about the argus mailing list