hole in the argus archive on theorygroup.org

Chas DiFatta chas at difatta.org
Fri Mar 1 00:45:09 EST 2002 

Peter,

Here is the configuration of 3 of our probe hosts at CMU.
Not much tweaking to get 400 Mb/sec out of them with
the commercial code of Argus.  We really haven't tried to
push the limit on them. We have some ideas on how to make
them fly, but remember, we're just interested in not dropping
anything from the core auditing effort whish is about 400 Mb/sec max.

So far we're not dropping anything and we have about 10-15%
of cpu left without much tweaking done.  One thing to note,
Argus and really fly when it doesn't have to write to disk.
I.e. interrupts become a problem on any system with disk writes.
What we do is just have the probes run Argus without writing to
disk and collect data from them via the network (port 561/tcp).
Therefore, we don't have to load the system with disk writes.
We're pretty much collecting the kitchen sink when it comes to
data, so on a 400 Mb/sec network, Argus outputs about
1.5 Mb/sec of audit data.  Not much when you consider the
amount of data you're auditing.  We could reduce this to
1 Mb/sec easily, and then some.

	...cd

p.s. On the "Turbo" zero copy packet capture code in Linux,
     I understand that it only helps when you're doing
     packet filtering to reduce coping in the kernel.
P.s.s. We'd like to play with a NetBSD box, since I hear the
     network code is very fast.  But it's not a priority since
     our probes are keeping up.  Time to concentrate on
     data analysis.

probe 1:
  - Dell Precision 530
  - Pentium Xeon 1.7GHz, 1gb ram, Linux 2.4
  - 3com 3c985 gige card
  - Syskonnect ?? single gige card (don't know the model) 

probe 2:
  - Dell Optiplex GX240
  - Pentium 3 1.8GHz, 650mb ram, linux 2.4
  - 2x Intel gige cards (model ??) - low # of interrupts

probe 3:
  - Dell optiplex gx100
  - Pentium 3 900MHz, 256mb ram, linux 2.4
  - Intel gige card (model ??) - low # of interrupts

>-----Original Message-----
>From: owner-argus-info at lists.andrew.cmu.edu
>[mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of Peter Van Epp
>Sent: Thursday, February 28, 2002 8:20 AM
>To: argus
>Subject: Re: hole in the argus archive on theorygroup.org
>
>
>	For at least me, it wasn't only the archive that missed these. I 
>don't find any of the three posted so far in my mail file either (and I'm
>quite interested because dark fibre and a GigE link are in my and more 
>importantly in my argus's short term future. Did others on the 
>list see these
>or was there a black hole for a while?
>	While I'm here a suggestion I came across elsewhere: the 
>Linux channel
>bonding code from George Becker works with GigE cards and can combine two 
>GigE outputs in to a single logical device for feeding to things (such as 
>for instance argus). In combination with the "Turbo" zero copy 
>packet capture
>code in Linux this may be interesting.
>	Which operating system is the CMU argus running on (I don't 
>see it in
>the interesting list of machines I should be considering buying :-))?
>
>Peter Van Epp / Operations and Technical Support 
>Simon Fraser University, Burnaby, B.C. Canada
>
>> 
>> 
>> There aren't any posts recorded in the archive between 2/8-2/13..  Was
>> there a problem in there?  I know there were a few posts, especially
>> some responses to Russell's "Giving a talk on Argus" query - including
>> the one fairly extensive post detailing some of our configuration work
>> at CMU..
>> 
>> Carter, do you have a copy that perhaps can be reposted on the archive?
>> Mark.
>> 
><snip of interesting post>
>

More information about the argus mailing list