argus-clients informal survey

Carter Bullard carter at qosient.com
Tue Jun 26 12:19:49 EDT 2001 

Hey Russ,
Well the ragraph() stuff is the first shot at
doing a generic graphing program, so it will have
its problems to fix.  You definitely should be using
either alpha.5 or alpha.6 as these fixed a number
of problems with memory usage.

Rahistogram() is a form of ragator().  The
difference is that rahistogram() creates aggregated
argus records on strict time boundaries.  You
use the filters to pick the argus records you
want, and rahistogram() will do the overlapping
of argus records to understand what the packet, byte,
whatever counts are for each time bin.  Default
is seconds, so if you are graphing an hours worth
of activity, then you get 3600 bins, but if your
doing an entire months worth of data, you should use
a different bin size.  Use the '-M min' option or
'-M hour' option to do that.

ragraph() is a perl script that takes the command
line, passes it to rahistogram() and then takes
the output and stuffs it into an rrd database and
generates a graph from it.  It outputs to a single
file, because I haven't done any parameter parsing
in perl, so I haven't gotten that far yet.

If you want a particular service, just pass a filter
to ragraph(), like:

   ragraph -r argusdata - udp and port 53

This will graph the packet load for DNS.  For a
particular server:

   ragraph -r argusdata - udp and port 53 and host whatever

Try it out just to see if it works, and then any
suggestions on how to change it to make it work for
you would be very helpful.  Its really early yet,
so any recommendations are very welcome.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

   

> -----Original Message-----
> From: Russ Harvey [mailto:russ at cornucopia.ucr.edu] 
> Sent: Sunday, June 24, 2001 11:33 PM
> To: Carter Bullard
> Subject: Re: argus-clients informal survey
> 
> 
> Hi Carter,
> Sorry this took so long. I started it on Wednesday, but with 
> interruptions I'm only now finishing it.
> 
> I am a relatively new argus user, although I've used it off 
> and on for about a year. It has been very useful for the 
> things you would expect -- back tracking intrusion/DOS 
> incidents and general-purpose inforamtion gathering. We also 
> run snort on the monitor machine, and are gradually 
> fine-tuning it as well.
> 
> One of my major interests in argus is to generate graphs. We 
> use cricket to monitor the traffic on several of our network 
> devices (which uses a cron-based snmp query to the network 
> devices, the output of which is stuffed into RRD files, which 
> can then be viewed with the cricket cgi that grabs a 
> specified RRD and generates a gif), but can display only 
> limited things the network device knows about (e.g. port 
> bytes/packets in and out).
> 
> Argus, on the other hand, has a wealth of information with 
> potential for display. I would like to know, for example, the 
> packet and byte rates used by the dorms. Then, if I found it 
> high, be able to select specific subnets of the dorm VLAN to 
> see which one accounts for the traffic.
> 
> I would also like to be able to see packets and bytes by 
> protocol. Then, for example, I could quickly spot an ICMP 
> DOS, for example (we have plenty of those).
> 
> I would also like to graph service activity -- DNS, mail, 
> news, etc., and be able to tell if one of the services was 
> having problems (too much traffic, too little).
> 
> I understand how to do these things in principle with argus, 
> but am kind of confused by ragraph and rahistogram. Although 
> I haven't tried it yet, I thought ragator was the way to go. 
> Since it can collect whatever flow info you want via a model, 
> and that info can be collected for a specified period of 
> time, I thought all you would need to do is point ragator at 
> a running argus and collect it's output. Then, with some 
> massaging, pump its output into a set of RRDs.
> 
> But ragraph seems to want to make a single file, and 
> rahistogram seems to have to be set up to read info for a 
> small time window, that needs to be specified (I guess) in 
> the call to ragraph (-t <whatever>). I can see rahistogram as 
> a good tool for generating an initial RRD since it can be run 
> on archived argus files and can generate the averaged info 
> that RRD saves (that's what the minute, hour, etc args are for?).
> 
> By the way, when I ran ragraph (rahistogram from client 
> alpha.2) on my archived argus files, it sucked a lot of 
> memory. Argus was also running, but it only takes about 30Mb 
> -- the FreeBSD monitor machine has 256Mb. When I ran 
> rahistogram, the machine started thrashing, and the running 
> argus died. I've never seen such a high scan rate (~800,000 
> scans per second according to vmstat) as when I ran rahistogram.
> 
> In any case, thanks for these tools and all your hard work. I 
> think they are very good and I hope to use them to develop a 
> full suite of monitoring and security services.
> 
> Thanks,
> --russ
> 
> On Jun 20,  6:26pm, "Carter Bullard" wrote:
> } Subject: argus-clients informal survey
> } Gentle people,
> }    Just wanted to get some feedback on the
> } argus-clients package.  If you've had any chance
> } to look at it, could you send your first impression,
> } comments?  If its, "got no time" that's fine.  If its
> } "I can't understand what's going on because there
> } are no man pages", that's fine.  If its, "I wish
> } you would work on something else" then send that
> } ASAP.  Any comments would be well received.  I'm
> } trying to figure out where to apply limited
> } resources.
> } 
> } Carter
> } 
> } Carter Bullard
> } QoSient, LLC
> } 300 E. 56th Street, Suite 18K
> } New York, New York  10022
> } 
> } carter at qosient.com
> } Phone +1 212 588-9133
> } Fax   +1 212 588-9134
> } http://qosient.com
> }-- End of excerpt from "Carter Bullard"
> 
> 
> }-- End of excerpt from russ
> 
> 
>

More information about the argus mailing list