Argus/radium trade offs
Carter Bullard
carter at qosient.com
Mon Aug 27 08:33:31 EDT 2007
Hey Russell,
So you can bind to any address in the argus.conf file.
ARGUS_BIND_IP="127.0.0.1"
ARGUS_BIND_IP="::1"
In the new argus-3.0, either will work.
Carter
On Aug 26, 2007, at 11:03 PM, Russell Fulton wrote:
> Hi folks.
>
> I am reassessing how I run some of my sensors and would like some
> advice
> before I try the suck and see method.
>
> On our dmz I collect two sets of data:
>
> 1. A full normal set of all flow records for traffic into and
> out of
> our network.
> 2. The first 200 bytes of all out going tcp sessions to port 80.
>
> To do this I currently run two argi. It has been suggested that it
> would be better to run just one argus and feed two clients which then
> write the output files (using rastrip to dump the user data for the
> 'normal' flow file).
>
> My concern with this is will having argus collecting user data for all
> sessions out weigh the advantages of running a single argus?
>
> Any ideas or should I suck to see if it is an orange or a lemon ;)
>
> One other quick question. Is there a way of getting argus to only
> bind
> to the loopback interface?
>
> Russell
>
>
> BTW we run the port 80 data through a script which extracts the
> uri, src
> & dest IP, time stamp and referrer and put this in an ascii file
> that we
> then compress. This data has proved useful for a number of things
> including figuring out where malicious urls are (Snort tells us the IP
> but there are often 100s of sites co hosted and unless you know the
> actual url you can't get stuff taken down).
>
More information about the argus
mailing list