Documentation Effort for argus-3.0 release

Carter Bullard carter at qosient.com
Mon Oct 15 13:36:32 EDT 2007 

Hey Mike (et al),
I think you're right, and possibly the best way to go then is to
start telling people how to do stuff.  I have the things that I think
are important, but again, most people are not that interested
in my esoteric issues.

So where to begin?  The principal strength of argus is the
audit trail, at least from a forensics perspective, so many/some
of the examples should be oriented toward the audit.  Most
of the recent stuff is oriented around real-time situational
awareness.  But that is pretty high on the complexity chart,
so maybe not a primary focus?

Most people do periodic audit processing for things, like access
control policy validation, Top N talkers, rudimentary intrusion
detection, matrix baselining etc....  We can start talking
about what one can do from this perspective.

A lot of sites run simple scripts, such as out-order (the number
of hosts an internal machine is talking to).  If a machine gets
over a certain threshold, generate a list.  That kind of thing.
Is this a reasonable starting point?

I quietly slid in radark.pl, a sample perl script that  generates a
scanner report, which is pretty useful.  Is that a good starting point?
Generating IP address inventories is extremely important for
long term tracking, should we talk about that?


Sorry to ask so many questions, but I can write about a lot of
things, so if we had some consensus, I could/should start today ;o)


Carter


On Oct 15, 2007, at 10:44 AM, Michael Hornung wrote:

> Yes those look good but I think their importance is the reverse of the
> order listed.  Probably most people interested enough to learn  
> about Argus
> can get it installed and running, and most can get archives working  
> pretty
> well, but the data analysis portion is what is most interesting.   
> If you
> can get people seeing good results/reports when evaluating the  
> software
> then they will be more motivated to make sure they get it deployed and
> maintained well.  That's my $.02.  =)
>
> -Mike
>
> On Sat, 13 Oct 2007 at 12:57, Carter Bullard wrote:
>
> |Gentle people,
> |Now that we're getting closer to official release (code does seem
> |to be stable) I need help on what to do to get the release ready.
> |
> |I would like to put a final effort into documentation, as that has  
> been
> |the biggest criticism of the argus project.  I believe the man pages
> |are in good order, the INSTALL and README I also believe are in
> |good shape, but there probably is need for an up to date FAQ, and
> |a set if HOW-TO guides may be in order.
> |
> |I can write pretty quickly, but I need some direction, in order to be
> |quick about it.  I'm sure that what I think is needed, is not what
> |others actually need.
> |
> |I see three basic areas:
> |   1. Deployment
> |   2. Archive Establishment and Mantenance
> |   3. Data Use and Analysis
> |
> |This is just one break out.  Would it be what you would work on
> |to make argus better for the new user/ casual user?
> |
> |Carter
> |
> |
>

More information about the argus mailing list