argus-eye GUI

Carter Bullard carter at qosient.com
Mon Nov 6 10:54:42 EST 2006


Hey Harry,
Always interested in comments.   When I hear of peoples need for
a GUI, it doesn't seem that they want to make something easier to use.
My experience is that it's usually a call for a specific type of  
application.
If I was going to build a GUI for argus, I would build something to
manage the configuration and collection of data from 100's - 1000's of
argi.  That would make argus easier to use, but I doubt that that is
what most people would ask for.

For me to talk about a GUI for argus() that helps people learn about
what argus can do, I would need to break it down into a set of  
categories.
Are you interested in Network Forensics, Security Policy Validation, QoS
Assessment, Operations Alerting?   All of these things are enhanced
by having better data to work with, and argus() is trying to provide
better data than what is out there.  Well a GUI to search large
quantities of audit data will help you do the Forensics part, but that
doesn't really help with near real-time viewing of data.  If you are
interested in QoS, searching large quantities of data isn't going to do
much of anything for you.  You need to process the large quantities of
data for baselining and trending, and then have some applications
that compare what's going on with what's suppose to be going on.

If you're interested in scan detection, you're more interested in  
Inventory
Assessments (what addresses are doing what), and a GUI for that is
going to be different.   If on the other hand you're interested in
Network Operations, then you may want a GUI that allows you to build
thresholds and notifiers that certain conditions in the network have
been seen (such as Network Unreachables generated by an interior
router, which is a horrible thing) , or if its Security, you may want  
some
type of GUI to display automatic notifications for Security relevant  
events that
snort or your favorite Network Anomaly Detection System didn't pick up.

Well sorry for the diatribe, but depending on what you want to do, the
pointer and the discussion are quite different.   I think I'm hoping  
that
the mailing list will help people discover solutions to their problems.

Opinions?

Carter




On Nov 5, 2006, at 9:50 PM, Harry Hoffman wrote:

> I saw a demo of NVisionIP at, I think, flocon 2005.
>
> It looked pretty neat but from what I recall it was JAVA based and
> required quite a bit of memory to operate on small to medium datasets.
>
> I haven't really followed it but would be curious to hear how it's  
> come
> along.
>
> As a tangent, the whole concept of a GUI is usually to make a tool
> easier to use... Does anyone have a good set of notes or a  
> presentation
> for training new users on using Argus.
>
> My current method of a quick overview of ra* tools and "let me know if
> you have any questions" isn't really working all that well. But given
> time constraints it's all I really have. :-(
>
> Any thoughts or pointers?
>
> Cheers,
> Harry
>
> Tom Briglia wrote:
>> You might also want to check out the GUI Visualization tools put  
>> out by the
>> SIFT project for they are based on Argus:
>>
>> http://www.projects.ncassr.org/sift/
>>
>> Rather than re-invent the wheel it would be nice to help figure  
>> out how to
>> patch the SIFT tools (or Argus) so that they can utilize Argus 3.x as
>> opposed to being stuck on 2.0.5.
>>
>> Thx!
>>
>> T.
>>
>>
>> Quoting carter at qosient.com:
>>
>>> Hey Phil,
>>> This is great!!!   We already have a curses based tool for  
>>> reading files,
>>> near real-time streams, which supports our aggregation  
>>> strategies, etc
>>> ....,  its called ratop().
>>>
>>> If that could help you with your GUI, I would recommend that you  
>>> take a
>>> look!!!!
>>> I have a version that makes argus data look like the screens from  
>>> the
>>> Matrix, also curses based, that I can share.
>>>
>>> Carter
>>>
>>> Carter Bullard
>>> QoSient LLC
>>> 150 E. 57th Street Suite 12D
>>> New York, New York 10022
>>> +1 212 588-9133 Phone
>>> +1 212 588-9134 Fax
>>>
>>> -----Original Message-----
>>> From: Philipp Letschert <phil at uni-koblenz.de>
>>> Date: Sat, 4 Nov 2006 08:31:22
>>> To:argus-info at lists.andrew.cmu.edu
>>> Subject: [ARGUS] argus-eye GUI
>>>
>>> Hi,
>>>
>>> I've started a GUI for argus in Perl/Gtk2.
>>>
>>> current features are:
>>> * read data from one or many argus logfiles
>>> * display transaction data in colored table
>>> * sorting and reordering of columns possible
>>> * basic display filter usage
>>>
>>> planned features:
>>> * serious tool
>>> * bells and whistles
>>>
>>> screenshot:
>>> http://www.uni-koblenz.de/~phil/argus-eye.png
>>>
>>> I'll release GPL'ed code within the next few weeks after major  
>>> cleanups
>>> and
>>> implementation of display filter parser. Currently it's a mess of  
>>> just
>>> 500 lines
>>> proof-of-concept...
>>>
>>> Please let me know if there is already ongoing work for a GUI or  
>>> if you
>>> have
>>> other suggestions.
>>>
>>>
>>> Cheers, Phil
>>>
>>>
>>>
>>
>>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061106/59e94746/attachment.html>


More information about the argus mailing list