Argus Freezes
Carter Bullard
carter at qosient.com
Mon Nov 15 12:32:37 EST 2010
Hey Sunjeet,
I believe you're running out of memory. With DDoS attacks, you tend to see
a lot of flows, and with your "-S 86400" option (ARGUS_FLOW_STATUS_INTERVAL)
I suspect that you are holding a massive number of flows in memory too long.
The "-S secs" option is designed to give you control over the timeliness of
status reporting and to control how long argus will hold the cache for a specific
flow, which eventually helps to control the amount of memory argus uses when
processing packets. After the ARGUS_FLOW_STATUS_INTERVAL has expired,
argus puts a flow cache on a time out queue, and if there is not additional flow
activity, it will deallocate the memory.
In DDoS attacks, you tend to see a lot of low packet flows of very short duration.
There is no reason to keep these flows in memory for very long. Getting a status
report out of argus quickly, and deallocating their memory is important.
With your "-S 1d" option, you will retain every flow cache (which is around 400-800
bytes), and there are, no doubt, a very large number of them.
Try running with a "-S 60" or "-S 5", and then take the output and process it using
racluster(), rabins() or rasqlinsert() to get your 1 status report per day. racluster()
and rabins() do their aggregation in RAM. rasqlinsert() provides a mechanism for
using the disk to aggregate very large numbers of flows.
Carter
On Nov 15, 2010, at 12:12 PM, Sunjeet Singh wrote:
> Hi,
>
> I'm using Argus 3.0.3.18 on 64-bit Mac OS X Snow Leopard.
>
> I am trying to use the command-
> argus -S 86400 -r nettrace.pcap -w nettrace.argus
>
> on a file nettrace.pcap of size 1.6 GB and with only tcp packets. This command keeps running indefinitely. Upon monitoring the size of the nettrace.argus file when this command is executing, I found that its size is stagnant at 8 KB and as soon as I abort that command the size becomes 1.8 MB.
>
> Argus is working great for other (smaller) traces that I am analyzing. The only thing that makes this trace different from the others is that this is a trace collected at a host witnessing a DDOS attack.
>
> Can you please help me figure this out?
>
> Thank you,
> Sunjeet Singh
>
>
Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101115/749ae9ea/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101115/749ae9ea/attachment.bin>
More information about the argus
mailing list