hole in the argus archive on theorygroup.org

David J Brumley dbrumley at rtfm.stanford.edu
Thu Feb 28 02:35:09 EST 2002


So it appears that andrew.cmu.edu changed their mailing list software
again.   The Sender: line changed, which is waht procmail is using to
archive.


I've changed the line to Return-Path:, so hopefully this message will
archive :)

-david

> 
> There aren't any posts recorded in the archive between 2/8-2/13..  Was
> there a problem in there?  I know there were a few posts, especially
> some responses to Russell's "Giving a talk on Argus" query - including
> the one fairly extensive post detailing some of our configuration work
> at CMU..
> 
> Carter, do you have a copy that perhaps can be reposted on the archive?
> Mark.
> 
> >-----Original Message-----
> >From: Chas DiFatta [mailto:chas at difatta.org]
> >Sent: Friday, February 08, 2002 3:38 PM
> >To: Russell Fulton
> >Cc: argus-info at lists.andrew.cmu.edu
> >Subject: RE: Giving a talk on Argus...
> >
> >
> >Russell,
> >
> >Here are some thoughts on how we use Argus presently at CMU. Note that 
> >we use the commercial version of Argus, which enables us to audit at 
> >data high rates.  We'd love to hear your finds regarding other 
> >installations and uses of Argus.
> >
> >Cheers!
> >
> >	...Chas
> >
> >p.s. Funny stories/uses of Argus?
> >	- Activating an automated Santa Claus when
> >	  mail was sent to santa at northpole.sei.cmu.edu.
> >	- Mapping specific sounds to a MIDI keyboard
> >	  when a network anomaly occurred.
> >
> >1/ type of links we audit,
> >	(A) 1Gb egress link (peak 200Mbs)
> >	(B) and the 2 x 1Gb dual-core switches in spanning
> >	    configuration
> >2/ we use Qosient's commercial version of Argus (Gargoyle)
> >	- 400Mbs/60k pps (max we've seen)
> >	- no packet loss detected
> >		- not saving to disk on probe engine but
> >		  remotely collect the audit stream
> >3/	egress probe
> >		- 933MHz PIII UP
> >		- 256MB ram
> >		- probe-only configuration
> >		- audit stream data remotely collected via
> >		  an archive host
> >	core probe
> >		- 1.8GHz P4 UP
> >		- 640MB ram
> >		- two Intel ?? GigE network cards 
> >		- probe-only configuration
> >		- audit stream data remotely collected via
> >		  an archive host
> >	archive/analysis host
> >		- 933MHz PIII UP
> >		- 512MB ram
> >		- raid disk array
> >		- running Qosient's commercial
> >		  archiving/analysis tool suite
> >		- collects data remotely from probes via SASL
> >		- preprocessing of data stream to analyze
> >			- security anomalies
> >			- performance anomalies
> >		- compress and archive data stream into manageable
> >		  5 min chunks (average file size 30MB compressed.
> >		  Note, the file size could be reduced enormously.
> >	analysis/visualization host
> >		- 733Mhz PIII UP
> >		- 1024MB ram
> >		- web services
> >		- visualization provided by Cricket, RRD tool, etc.
> >
> >4,5/ archive data rate varies from 1 week to 2 months
> >	- dual-core probe 6-7GB/day
> >	- egress probe 8-10GB/day
> >
> >6/ about 10 years with various activities.  We co-authored Argus
> 1.3/1.5
> >   with Carter at the Software Engineering Institute/CERT
> >
> >7/ current work/efforts
> >	- real-time and static visualization of security and
> >	  performance anomalies
> >	- anomaly tool suite for network and security managers
> >		- reporting
> >		- alerting
> >	- Anonymization of data for use by research community
> >
> >>-----Original Message-----
> >>From: owner-argus-info at lists.andrew.cmu.edu
> >>[mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of Russell 
> >>Fulton
> >>Sent: Sunday, February 03, 2002 6:05 PM
> >>To: argus-info at lists.andrew.cmu.edu
> >>Subject: Giving a talk on Argus...
> >>
> >>
> >>Hi All,
> >>	AusCERT have prevailed on me to give a talk at the security
> >>conference
> >>they are organizing in May.  They initially asked me to talk about
> scans
> >>but I decided that everyone knows about scans but not everyone knows
> >>about Argus so I would take the oportunity to try and raise the
> profile
> >>of our favourite tool.  The talk will focus on the practical reasons
> for
> >>running argus and how it complements things like
> >>NIDS.
> >>
> >>One of the things I want to emphasise us is that Argus is being used 
> >>at some major sites with large feeds. I.e. this is not some 'nice 
> >>theoretical idea', it really is being used to monitor some heavily 
> >>used links.  (Auckland does not really count ;-)  with a meer 7 
> >>Mbps...).
> >>
> >>So I would appreciate some brief summaries with the following
> >>information:
> >>
> >>1/ type of link being monitored (OC3, gigabit ethernet etc) 2/ peak 
> >>volumes in Mbps (aprox averaged over 5 minutes) 3/ brief description 
> >>of hardware used including amount of Disk and Memory
> >>4/ how long do you keep logs (on disk and archived).
> >>5/ daily log volume (compressed).
> >>6/ how long have you been using argus.
> >>
> >>Along with a statement as to whether you want the information made 
> >>anonymous.
> >>
> >>Much of the material will be similar to Peter's ;login article and I 
> >>will include a reference to it in my slides.  I will, of course, 
> >>include pointers to www.qosient.com -- and other online resources I 
> >>should mention.
> >>
> >>Lastly anyone have any argus related funny stories that I can use to 
> >>keep people awake? scp
> >>-- 
> >>Russell Fulton, Computer and Network Security Officer
> >>The University of Auckland,  New Zealand
> >>
> >>
> 
> 

-- 
David Brumley
650.723.2445



More information about the argus mailing list