Using the argus server as a NetFlow listener

Terry Burton tez at terryburton.co.uk
Mon Oct 22 08:31:20 EDT 2007


Hi,

I am currently running Argus 2.0.6 as shipped with Debian Etch.

I run several argus server instances listening to promiscuous
SPAN-attached interfaces that write to local audit files and provide
connections on a local ports for argus clients:

argus -i eth1 -w core1.arg -P 561
argus -i eth2 -w core2.arg -P 562
argus -i eth3 -w core3.arg -P 563
...

As well as providing great security audit records this allows our
network admins to have a near real-time view of the state of the
network. We also post-process the captured data to detect network
anomalies such as activity from unregistered hosts and unusual
inter-subnet traffic. This is really an excellent suite of tool, thank
you!

Because of our routers' limitations of the number of VLANs/ports that
can be simultaneously monitored via a SPAN interface I have recently
enabled NetFlow which I intend to make use of for auditing and
analysis.

However I am not sure whether it is possible to have the argus server
receive and process the Netflow events so that this information can be
both logged and inspected in real-time, as with our promiscuous
interfaces.

The following is certainly not valid syntax, but conveys the basic idea:

argus -C -S sniffer:1006 -w core1.arg -P 561

I know that I can capture the NetFlow data in real-time by directly
using the argus clients, ra(top) -C -S sniffer:1006, but this is not
anywhere near as flexible as feeding this data into an argus server to
which multiple unprivileged clients (in particular ratop with custom
filters) can be intermittently attached.

Am I missing something, or is this setup not currently possible?

I'm very much looking forward to investigating the 3.0 release. Congratulations.


Thanks in anticipation,

Tez



More information about the argus mailing list