Auditing Network activity : Argus to help to prepare a Firewall Flow Matrix

arcangel at free.fr arcangel at free.fr
Mon Feb 14 14:16:12 EST 2011


Hi, 

I started using Argus recently for a project where I need to audit Network activity. 
I would like to use Argus to audit traffic for a Firewall in Open-Mode (using a port-mirroring and a Debian system) 
Using Argus, I would like to gather for a weekly period or even a couple of weeks :
- the top 100 (or maybe more - up to 500) flows (IP source,IP destination,  protocol, destination port) to prepare for Firewall rules addition and block non-seen traffic.
- statistics per protocol and bandwith information

Did anybody tried this ? 
Any advise or scripts already deployed to do so ? 
Do you recommend I test the dev branch ? 

Traffic expected is going to be non-basic : 270000 packets / 28M  for 10 minutes traffic
I'm worried about scaling (memory consumption) and space disk for argus log collections/processing.

Any tip ? 

To start I would like to concentrate on 3 DMZ subnets,

I tried to force Argus to only check 3 networks but it didn't work - strange as it is a correct tcpdump filter :  
argus -P 561 -d -i eth1.700 -w /var/tmp/traces-lab.argus-2011 'net  172.24.251 or net 172.24.252 or net 172.24.111'

The man-page states expression is a tcpdump(1) expression .. so it should work.

Any idea/feedback will be really appreciated 

Thanks, 

Steph



More information about the argus mailing list