Argus/radium trade offs

Russell Fulton r.fulton at auckland.ac.nz
Sun Aug 26 23:03:36 EDT 2007


Hi folks.

I am reassessing how I run some of my sensors and would like some advice
before I try the suck and see method.

On our dmz I collect two sets of data:

   1. A full normal set of all flow records for traffic into and out of
      our network.
   2. The first 200 bytes of all out going tcp sessions to port 80.

To do this I currently run two argi.  It has been suggested that it
would be better to run just one argus and feed two clients which then
write the output files (using rastrip to dump the user data for the
'normal' flow file).

My concern with this is will having argus collecting user data for all
sessions out weigh the advantages of running a single argus?

Any ideas or should I suck to see if it is an orange or a lemon ;)

One other quick question.  Is there a way of getting argus to only bind
to the loopback interface?

Russell


BTW we run the port 80 data through a script which extracts the uri, src
& dest IP, time stamp and referrer and put this in an ascii file that we
then compress.  This data has proved useful for a number of things
including figuring out where malicious urls are (Snort tells us the IP
but there are often 100s of sites co hosted and unless you know the
actual url you can't get stuff taken down).



More information about the argus mailing list