[ARGUS] Sensor Setup

[eric]

On Mon, 2004-07-26 at 10:37:00 -0400, John Nagro proclaimed...

> Could someone please outline (or point me to docs) on properly setting
> up a machine to run argus and instead of writing its output to disk,
> sent it to another machine and have it record there.
> 
> This would be a huge help.

On machineA, compile argus and use the following argus.conf

ARGUS_DAEMON=yes
ARGUS_MAX_INSTANCES=1
ARGUS_SET_PID=yes
ARGUS_PID_FILENAME=/var/run/argus.pid
ARGUS_MONITOR_ID=666
ARGUS_BIND_IP=10.10.10.10
ARGUS_ACCESS_PORT=561
ARGUS_GO_PROMISCUOUS=yes
ARGUS_FLOW_STATUS_INTERVAL=30
ARGUS_MAR_STATUS_INTERVAL=30
ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
ARGUS_GENERATE_JITTER_DATA=yes
ARGUS_GENERATE_MAC_DATA=no
ARGUS_FILTER_OPTIMIZER=yes
ARGUS_FILTER=""
ARGUS_INTERFACE=em0
ARGUS_INTERFACE=em1
#ARGUS_OUTPUT_FILE=/data/argus/tmp/argus.out

Then on machineB..

$ nohup ra -nn -S 10.10.10.10 -w argus.cap &

Rotate your flows, as necessary, using argusarchive.