Auditing Network activity : Argus to help to prepare a Firewall Flow Matrix
arcangel at free.fr
arcangel at free.fr
Mon Feb 14 14:16:12 EST 2011
Hi,
I started using Argus recently for a project where I need to audit Network activity.
I would like to use Argus to audit traffic for a Firewall in Open-Mode (using a port-mirroring and a Debian system)
Using Argus, I would like to gather for a weekly period or even a couple of weeks :
- the top 100 (or maybe more - up to 500) flows (IP source,IP destination, protocol, destination port) to prepare for Firewall rules addition and block non-seen traffic.
- statistics per protocol and bandwith information
Did anybody tried this ?
Any advise or scripts already deployed to do so ?
Do you recommend I test the dev branch ?
Traffic expected is going to be non-basic : 270000 packets / 28M for 10 minutes traffic
I'm worried about scaling (memory consumption) and space disk for argus log collections/processing.
Any tip ?
To start I would like to concentrate on 3 DMZ subnets,
I tried to force Argus to only check 3 networks but it didn't work - strange as it is a correct tcpdump filter :
argus -P 561 -d -i eth1.700 -w /var/tmp/traces-lab.argus-2011 'net 172.24.251 or net 172.24.252 or net 172.24.111'
The man-page states expression is a tcpdump(1) expression .. so it should work.
Any idea/feedback will be really appreciated
Thanks,
Steph
More information about the argus
mailing list