hole in the argus archive on theorygroup.org

Mark Poepping poepping at cmu.edu
Thu Feb 28 01:38:45 EST 2002 

There aren't any posts recorded in the archive between 2/8-2/13..  Was
there a problem in there?  I know there were a few posts, especially
some responses to Russell's "Giving a talk on Argus" query - including
the one fairly extensive post detailing some of our configuration work
at CMU..

Carter, do you have a copy that perhaps can be reposted on the archive?
Mark.

>-----Original Message-----
>From: Chas DiFatta [mailto:chas at difatta.org]
>Sent: Friday, February 08, 2002 3:38 PM
>To: Russell Fulton
>Cc: argus-info at lists.andrew.cmu.edu
>Subject: RE: Giving a talk on Argus...
>
>
>Russell,
>
>Here are some thoughts on how we use Argus presently at CMU. Note that 
>we use the commercial version of Argus, which enables us to audit at 
>data high rates.  We'd love to hear your finds regarding other 
>installations and uses of Argus.
>
>Cheers!
>
>	...Chas
>
>p.s. Funny stories/uses of Argus?
>	- Activating an automated Santa Claus when
>	  mail was sent to santa at northpole.sei.cmu.edu.
>	- Mapping specific sounds to a MIDI keyboard
>	  when a network anomaly occurred.
>
>1/ type of links we audit,
>	(A) 1Gb egress link (peak 200Mbs)
>	(B) and the 2 x 1Gb dual-core switches in spanning
>	    configuration
>2/ we use Qosient's commercial version of Argus (Gargoyle)
>	- 400Mbs/60k pps (max we've seen)
>	- no packet loss detected
>		- not saving to disk on probe engine but
>		  remotely collect the audit stream
>3/	egress probe
>		- 933MHz PIII UP
>		- 256MB ram
>		- probe-only configuration
>		- audit stream data remotely collected via
>		  an archive host
>	core probe
>		- 1.8GHz P4 UP
>		- 640MB ram
>		- two Intel ?? GigE network cards 
>		- probe-only configuration
>		- audit stream data remotely collected via
>		  an archive host
>	archive/analysis host
>		- 933MHz PIII UP
>		- 512MB ram
>		- raid disk array
>		- running Qosient's commercial
>		  archiving/analysis tool suite
>		- collects data remotely from probes via SASL
>		- preprocessing of data stream to analyze
>			- security anomalies
>			- performance anomalies
>		- compress and archive data stream into manageable
>		  5 min chunks (average file size 30MB compressed.
>		  Note, the file size could be reduced enormously.
>	analysis/visualization host
>		- 733Mhz PIII UP
>		- 1024MB ram
>		- web services
>		- visualization provided by Cricket, RRD tool, etc.
>
>4,5/ archive data rate varies from 1 week to 2 months
>	- dual-core probe 6-7GB/day
>	- egress probe 8-10GB/day
>
>6/ about 10 years with various activities.  We co-authored Argus
1.3/1.5
>   with Carter at the Software Engineering Institute/CERT
>
>7/ current work/efforts
>	- real-time and static visualization of security and
>	  performance anomalies
>	- anomaly tool suite for network and security managers
>		- reporting
>		- alerting
>	- Anonymization of data for use by research community
>
>>-----Original Message-----
>>From: owner-argus-info at lists.andrew.cmu.edu
>>[mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of Russell 
>>Fulton
>>Sent: Sunday, February 03, 2002 6:05 PM
>>To: argus-info at lists.andrew.cmu.edu
>>Subject: Giving a talk on Argus...
>>
>>
>>Hi All,
>>	AusCERT have prevailed on me to give a talk at the security
>>conference
>>they are organizing in May.  They initially asked me to talk about
scans
>>but I decided that everyone knows about scans but not everyone knows
>>about Argus so I would take the oportunity to try and raise the
profile
>>of our favourite tool.  The talk will focus on the practical reasons
for
>>running argus and how it complements things like
>>NIDS.
>>
>>One of the things I want to emphasise us is that Argus is being used 
>>at some major sites with large feeds. I.e. this is not some 'nice 
>>theoretical idea', it really is being used to monitor some heavily 
>>used links.  (Auckland does not really count ;-)  with a meer 7 
>>Mbps...).
>>
>>So I would appreciate some brief summaries with the following
>>information:
>>
>>1/ type of link being monitored (OC3, gigabit ethernet etc) 2/ peak 
>>volumes in Mbps (aprox averaged over 5 minutes) 3/ brief description 
>>of hardware used including amount of Disk and Memory
>>4/ how long do you keep logs (on disk and archived).
>>5/ daily log volume (compressed).
>>6/ how long have you been using argus.
>>
>>Along with a statement as to whether you want the information made 
>>anonymous.
>>
>>Much of the material will be similar to Peter's ;login article and I 
>>will include a reference to it in my slides.  I will, of course, 
>>include pointers to www.qosient.com -- and other online resources I 
>>should mention.
>>
>>Lastly anyone have any argus related funny stories that I can use to 
>>keep people awake? scp
>>-- 
>>Russell Fulton, Computer and Network Security Officer
>>The University of Auckland,  New Zealand
>>
>>

More information about the argus mailing list