Using the argus server as a NetFlow listener

[Carter Bullard]

Hey Tez,
You're not the only one asking for this funciton, but its a bit
of a head scratcher.   I think you would like argus() to realize
that the packet it just sniffed is a netflow record, and from it
spit out the flow records that it contains?  I have a solution for
this in the research versions of argus-3.0, but not in the first
release.

There is one basic problem with doing this function.  The
libpcap snaplen will pretty much guarantee that you'll get
only a partial reading of the netflow packet, and as a result
if argus() is parsing it out, and generating flow records from
the netflow datagrams, you'll not get them all (which I think
is not a good thing).

I think the solution should be along the line of radump(), which
parses out the user data buffer that is in the argus flow record.
If we just put the entire netflow data packet payload into the
argus record that is tracking the netflow stream, then you could
have a ra* program recover all the netflow records that were
in the stream.   That is, of course, if argus saw the entire packet ;o)

So the program you're looking for, I think, should be a ra* program.

But, the closest thing in the initial argus-3.0 release to what
you're looking for is radium().  I would run radium on the same
machine as argus, and have it read the netflow records and
collect from the argi, (either v2 or v3) at the same time, and provide
access to the resulting single aggregated stream, just like argus().
You have to know the netflow is there for radium() to read it,
but you'll at least get the entire contents.

Give radium() a run, and if you have any problems, send
some email, so I can get your experience into the argus-3.0
release notes (or fix some bugs ;o)

Hope all is most excellent, and glad argus is working for
you!!!

Carter



On Oct 22, 2007, at 8:31 AM, Terry Burton wrote:

> Hi,
>
> I am currently running Argus 2.0.6 as shipped with Debian Etch.
>
> I run several argus server instances listening to promiscuous
> SPAN-attached interfaces that write to local audit files and provide
> connections on a local ports for argus clients:
>
> argus -i eth1 -w core1.arg -P 561
> argus -i eth2 -w core2.arg -P 562
> argus -i eth3 -w core3.arg -P 563
> ...
>
> As well as providing great security audit records this allows our
> network admins to have a near real-time view of the state of the
> network. We also post-process the captured data to detect network
> anomalies such as activity from unregistered hosts and unusual
> inter-subnet traffic. This is really an excellent suite of tool, thank
> you!
>
> Because of our routers' limitations of the number of VLANs/ports that
> can be simultaneously monitored via a SPAN interface I have recently
> enabled NetFlow which I intend to make use of for auditing and
> analysis.
>
> However I am not sure whether it is possible to have the argus server
> receive and process the Netflow events so that this information can be
> both logged and inspected in real-time, as with our promiscuous
> interfaces.
>
> The following is certainly not valid syntax, but conveys the basic  
> idea:
>
> argus -C -S sniffer:1006 -w core1.arg -P 561
>
> I know that I can capture the NetFlow data in real-time by directly
> using the argus clients, ra(top) -C -S sniffer:1006, but this is not
> anywhere near as flexible as feeding this data into an argus server to
> which multiple unprivileged clients (in particular ratop with custom
> filters) can be intermittently attached.
>
> Am I missing something, or is this setup not currently possible?
>
> I'm very much looking forward to investigating the 3.0 release.  
> Congratulations.
>
>
> Thanks in anticipation,
>
> Tez
>