Graph of the Week at http://qosient.com/argus

Olaf Gellert olaf.gellert at intrusion-lab.net
Thu Sep 14 02:07:46 EDT 2006


Hi,

Darren Spruell wrote:
> I'd be interested in seeing a range of practical applications of
> argus, supported by either graphs or straight terminal output, and
> focusing on pointed, practical tasks. For example, my activities
> revolve around security monitoring and incident response, and I'm
> interested in learning more about how traffic anomalies can be
> identified by argus and how we can accomplish better network auding
> capabilities (for example, correlating a given IDS event with "other"
> traffic flows that we see for possibly compromised hosts, or even just
> enumerating hosts and ports that the suspect has communicated with in
> the last n hours.) Also, what sort of things is argus better suited
> for in these regards compared to things like netflow and sflow or
> rmon?

One example of a security check is this (we have been doing it for
many years now): We compare if any packet with an inside IP
address has the MAC-address of our router interface. That way we
notice IP-spoofing (or check if our firewall really does what it
should do: keep these packets out).

What I have been working on is "raprelude". This is an argus client
(much the same as "ra") which logs the argus flows to the prelude IDS
system. With prelude we collect SNORT data and ARGUS data
so we can match them. This is pretty handy: For every alert from
snort (which only lists the contents of the packet that raised the
alert) we get additional data from argus (packet and byte count
of the connection, start and end time of the connection). And of
course we are especially interested in evaluating those argus
records that have not raised a snort alert but look fishy (that gives
way to anomaly detection). But this is still unfinished work.

You can find "raprelude" here (but the recent version is going to
be improved soon, some minor bugfixes, too):

http://www.intrusion-lab.net/raprelude/

Regards, Olaf




More information about the argus mailing list