hole in the argus archive on theorygroup.org

David J Brumley dbrumley at rtfm.stanford.edu
Thu Feb 28 21:03:15 EST 2002 

	
> 
> No problem..  I'm sorry that the mailing crap is changing 'all the
> time'.  I have no clue what's going on..  probably easier to just keep
> an eye on it, though I'll go do some bitching:-)..
> 
> I suppose there's some archive-posting delay?  On reload, I don't seen
> anything between 2/8-12 yet..

Hmm. I don't see anything received for that date to the address.  Can
you (and anyone else) forward any messages you have during that period
and I'll manually insert them?


-david


> 
> > -----Original Message-----
> > From: David J Brumley [mailto:dbrumley at rtfm.stanford.edu]
> > Sent: Thursday, February 28, 2002 2:37 AM
> > To: Mark Poepping
> > Subject: Re: hole in the argus archive on theorygroup.org
> > 
> > 
> > woohoo! it worked. Let me know if you still think there is a hole. I
> > found the old messages in the archiver's mbox and added them manually.
> > 
> > Thanks for keeping an eye on this. I really should be doing it, but
> > grad school is killing me :)
> > 
> > -david
> > 
> > >
> > > There aren't any posts recorded in the archive between 2/8-2/13..
> Was
> > > there a problem in there?  I know there were a few posts, especially
> > > some responses to Russell's "Giving a talk on Argus" query -
> including
> > > the one fairly extensive post detailing some of our configuration
> work
> > > at CMU..
> > >
> > > Carter, do you have a copy that perhaps can be reposted on the
> archive?
> > > Mark.
> > >
> > > >-----Original Message-----
> > > >From: Chas DiFatta [mailto:chas at difatta.org]
> > > >Sent: Friday, February 08, 2002 3:38 PM
> > > >To: Russell Fulton
> > > >Cc: argus-info at lists.andrew.cmu.edu
> > > >Subject: RE: Giving a talk on Argus...
> > > >
> > > >
> > > >Russell,
> > > >
> > > >Here are some thoughts on how we use Argus presently at CMU. Note
> that
> > > >we use the commercial version of Argus, which enables us to audit
> at
> > > >data high rates.  We'd love to hear your finds regarding other
> > > >installations and uses of Argus.
> > > >
> > > >Cheers!
> > > >
> > > >	...Chas
> > > >
> > > >p.s. Funny stories/uses of Argus?
> > > >	- Activating an automated Santa Claus when
> > > >	  mail was sent to santa at northpole.sei.cmu.edu.
> > > >	- Mapping specific sounds to a MIDI keyboard
> > > >	  when a network anomaly occurred.
> > > >
> > > >1/ type of links we audit,
> > > >	(A) 1Gb egress link (peak 200Mbs)
> > > >	(B) and the 2 x 1Gb dual-core switches in spanning
> > > >	    configuration
> > > >2/ we use Qosient's commercial version of Argus (Gargoyle)
> > > >	- 400Mbs/60k pps (max we've seen)
> > > >	- no packet loss detected
> > > >		- not saving to disk on probe engine but
> > > >		  remotely collect the audit stream
> > > >3/	egress probe
> > > >		- 933MHz PIII UP
> > > >		- 256MB ram
> > > >		- probe-only configuration
> > > >		- audit stream data remotely collected via
> > > >		  an archive host
> > > >	core probe
> > > >		- 1.8GHz P4 UP
> > > >		- 640MB ram
> > > >		- two Intel ?? GigE network cards
> > > >		- probe-only configuration
> > > >		- audit stream data remotely collected via
> > > >		  an archive host
> > > >	archive/analysis host
> > > >		- 933MHz PIII UP
> > > >		- 512MB ram
> > > >		- raid disk array
> > > >		- running Qosient's commercial
> > > >		  archiving/analysis tool suite
> > > >		- collects data remotely from probes via SASL
> > > >		- preprocessing of data stream to analyze
> > > >			- security anomalies
> > > >			- performance anomalies
> > > >		- compress and archive data stream into manageable
> > > >		  5 min chunks (average file size 30MB compressed.
> > > >		  Note, the file size could be reduced enormously.
> > > >	analysis/visualization host
> > > >		- 733Mhz PIII UP
> > > >		- 1024MB ram
> > > >		- web services
> > > >		- visualization provided by Cricket, RRD tool, etc.
> > > >
> > > >4,5/ archive data rate varies from 1 week to 2 months
> > > >	- dual-core probe 6-7GB/day
> > > >	- egress probe 8-10GB/day
> > > >
> > > >6/ about 10 years with various activities.  We co-authored Argus
> > > 1.3/1.5
> > > >   with Carter at the Software Engineering Institute/CERT
> > > >
> > > >7/ current work/efforts
> > > >	- real-time and static visualization of security and
> > > >	  performance anomalies
> > > >	- anomaly tool suite for network and security managers
> > > >		- reporting
> > > >		- alerting
> > > >	- Anonymization of data for use by research community
> > > >
> > > >>-----Original Message-----
> > > >>From: owner-argus-info at lists.andrew.cmu.edu
> > > >>[mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of Russell
> > > >>Fulton
> > > >>Sent: Sunday, February 03, 2002 6:05 PM
> > > >>To: argus-info at lists.andrew.cmu.edu
> > > >>Subject: Giving a talk on Argus...
> > > >>
> > > >>
> > > >>Hi All,
> > > >>	AusCERT have prevailed on me to give a talk at the security
> > > >>conference
> > > >>they are organizing in May.  They initially asked me to talk about
> > > scans
> > > >>but I decided that everyone knows about scans but not everyone
> knows
> > > >>about Argus so I would take the oportunity to try and raise the
> > > profile
> > > >>of our favourite tool.  The talk will focus on the practical
> reasons
> > > for
> > > >>running argus and how it complements things like
> > > >>NIDS.
> > > >>
> > > >>One of the things I want to emphasise us is that Argus is being
> used
> > > >>at some major sites with large feeds. I.e. this is not some 'nice
> > > >>theoretical idea', it really is being used to monitor some heavily
> > > >>used links.  (Auckland does not really count ;-)  with a meer 7
> > > >>Mbps...).
> > > >>
> > > >>So I would appreciate some brief summaries with the following
> > > >>information:
> > > >>
> > > >>1/ type of link being monitored (OC3, gigabit ethernet etc) 2/
> peak
> > > >>volumes in Mbps (aprox averaged over 5 minutes) 3/ brief
> description
> > > >>of hardware used including amount of Disk and Memory
> > > >>4/ how long do you keep logs (on disk and archived).
> > > >>5/ daily log volume (compressed).
> > > >>6/ how long have you been using argus.
> > > >>
> > > >>Along with a statement as to whether you want the information made
> > > >>anonymous.
> > > >>
> > > >>Much of the material will be similar to Peter's ;login article and
> I
> > > >>will include a reference to it in my slides.  I will, of course,
> > > >>include pointers to www.qosient.com -- and other online resources
> I
> > > >>should mention.
> > > >>
> > > >>Lastly anyone have any argus related funny stories that I can use
> to
> > > >>keep people awake? scp
> > > >>--
> > > >>Russell Fulton, Computer and Network Security Officer
> > > >>The University of Auckland,  New Zealand
> > > >>
> > > >>
> > >
> > >
> > 
> > --
> > David Brumley
> > 650.723.2445
> 

-- 
David Brumley
650.723.2445

More information about the argus mailing list