Argus/ra next steps. GUI applications and Windowing systems

Fri Mar 2 09:40:31 EST 2001

Hey Chris,
   I can appreciate what you want to do with all the locals
on one side and the rest of the world on the other.  Like I
mentioned below, ra() is not the best place to do this, so,
I'd like to see if I can get you interested in talking about
Argus Phase II.  My next step after getting the web site
and the 2.0 software out is to start on better Argus data
processing and archiving.  Get the data down, and then do
some real analysis.  This is the essence of what my company,
QoSient, is all about.

   Although the company is going to make money off of this
next step, I'm still going to build an Argus GUI through the
Open Software side of QoSient.  This GUI should allow you to
view and operate on Argus data, for, hopefully, lots of
purposes.  I'm also going to do quite a bit of database work
to support Argus data archiving, which will also be in the
Open side of things.

   The goals are to do the standard stuff like generate graphs
but also to do the work that people on the list have been
doing, sophisticated traffic analysis that can do good work.
Many are doing Incidence Response, what I like to call
Assurance Management, but many would like to do Intrusion
Detection.  I want to do Performance Measurement and Assessment.

   The GUI, I believe, would be where your request would go.
I've already started scoping out Windowing systems, like Gnome,
for this project, and so, if the group is interested in going
in this direction, I'd like to get the group's ideas on what
would be a cool way to approach this.

   The tool that used the GUI would be a network forensics
tool, that basically had access to the entire Argus archive, and
allowed you to very quickly select transactions of interest,
and do some complex operations on the transactions you picked
out.  A kind of vRa, xRa, gRa type of thing, which I think
can get to be pretty cool.

   Gnome, Java, Tcl/Tk Perl-Tk, X, MSWindows, or a Browser?
   MySQL or postIngress?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134

> -----Original Message-----
> From: Chris Newton [mailto:newton at unb.ca]
> Sent: Friday, March 02, 2001 9:04 AM
> To: Carter Bullard
> Subject: RE: Argus/ra
> 
> 
> Ahh, thank you very much Carter!  Now I understand it better, 
> and see why it 
> was done this way.  Good work!  I'll just write the code in 
> to our side. :)  
> Excellent package, btw.  I'm interested in learning of all 
> the information 
> that can be gathered from these logs... and, there appears to 
> be a ton of it.
> 
> Chris
> 
> >===== Original Message From <carter at qosient.com> =====
> >Hey Chris,
> >Yes, I can see how if ra() is doing the
> >work, then life is much easier for you ;o)
> >So, here is some good stuff for the FAQ to
> >describe how the arrows work.
> >
> >The arrows are not a source indicator,
> >the arrows indicate the direction of the flow.
> >
> >The source is indicated by being in the left column.
> >The source is the entity that sent the first
> >packet in the flow.  We'll flip the source
> >indication if the first packet we see is a TCP
> >SYN-ACK.
> >
> >The flow indication indicates who is transmitting.
> >For non-TCP connections that means that if
> >the destination is transmitting during this
> >log period and the source is not, then the arrow
> >goes to the left.  And vice versa.  If both
> >are transmitting then both arrows are up.
> >
> >For TCP the arrow does indicate the source
> >direction, but only if the TCP connection establishment
> >packets were seen (the '-' indicates this).  When
> >argus didn't see the handshake, then there is no
> >information on who is the actual source or destination
> >is, and the arrows revert to behaving like non
> >TCP traffic (the '?' indicates this).  When you
> >use the '-R' flag to see response indicators and
> >data, then the arrows change behavior for TCP RST
> >connections; the arrows indicate who sent the RST.
> >
> >So the position in the record is important.
> >You can bet the farm on the fact that the IP
> >address on the left sent the initial packet
> >seen for the flow.  That knowledge is persistent
> >for the duration of the entire flow, so if you have
> >multiple reports, then the position of the IP
> >address is still indicating who initiated the
> >connection.
> >
> >So most people are trying to figure out what service
> >is being used, and in this scheme the right most port
> >number is the service port 95% of the time.
> >
> >So, I don't know how this will work if we swap
> >based on local address.  Another tool is the right
> >way to go.
> >
> >Carter
> >
> >Carter Bullard
> >QoSient, LLC
> >300 E. 56th Street, Suite 18K
> >New York, New York  10022
> >
> >carter at qosient.com
> >Phone +1 212 588-9133
> >Fax   +1 212 588-9134
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010302/dd344357/attachment.html>