Auditing Network activity : Argus to help to prepare a Firewall Flow Matrix

Carter Bullard carter at qosient.com
Mon Feb 14 15:24:12 EST 2011


Hey Steph,
Yes argus and its client programs can provide the functions you're looking for.
Once you start to collect the correct traffic and have it written to an archive, you
can then run simple scripts that process the archive to generate the reports
you've described.

The dev branch is going to be released, hopefully this week, as argus-3.0.4 so I would
start with it.

I would start with the descriptions from the website regarding audit systems:  

   http://qosient.com/argus/audit.shtml

If you have any problems, send email to the list, and I, or someone, will be happy to
walk you through glitches.  Once you get the archive started, then we can talk about
programs for generating your reports.  The basic data needed for top 100 flows in a
month is provided by racluster(), sorting using your Top criteria, is done with rasort()
and then grabbing the N in the top value is done using ra().

   racluster -R /path/to/your/archive/2011/01 -w - | rasort -m pkts -w - | ra -N 100

This may seem complicated, but hopefully looking at the racluster() manpage, you'll
start to get it.  Many on the list will say that clustering a whole months worth of data
is tough, since you need a lot of memory to do a month, but there are many tricks,
such as doing daily or hourly aggregations, and then processing those aggregates
to get your larger aggregate statistic.

Don't worry about asking on the email list, many will benefit from the dialogue.

With regard to your filter problem.

  argus -P 561 -d -i eth1.700 -w /var/tmp/traces-lab.argus-2011 'net  172.24.251 or net 172.24.252 or net 172.24.111'

The "-w <file | stream ["filter"]> " option has an optional 'filter' field in its syntax.  This filter is used to specify
what argus transmits, and so it is expecting an argus filter.   In your command, your tcpdump filter is being
parsed as the "-w file filter" filter.

The fix is very simple.  You could rearrange your command line options, such as this:

argus -w /var/tmp/traces-lab.argus-2011 -P 561 -i eth1.700 -d 'net  172.24.251 or net 172.24.252 or net 172.24.111'


or you can place a '-' after the filename to close the "-w file" option. For argus anything remaining is
considered the filter.

argus -P 561 -d -i eth1.700 -w /var/tmp/traces-lab.argus-2011 -  'net  172.24.251 or net 172.24.252 or net 172.24.111'

Carter


On Feb 14, 2011, at 2:16 PM, arcangel at free.fr wrote:

> Hi, 
> 
> I started using Argus recently for a project where I need to audit Network activity. 
> I would like to use Argus to audit traffic for a Firewall in Open-Mode (using a port-mirroring and a Debian system) 
> Using Argus, I would like to gather for a weekly period or even a couple of weeks :
> - the top 100 (or maybe more - up to 500) flows (IP source,IP destination,  protocol, destination port) to prepare for Firewall rules addition and block non-seen traffic.
> - statistics per protocol and bandwith information
> 
> Did anybody tried this ? 
> Any advise or scripts already deployed to do so ? 
> Do you recommend I test the dev branch ? 
> 
> Traffic expected is going to be non-basic : 270000 packets / 28M  for 10 minutes traffic
> I'm worried about scaling (memory consumption) and space disk for argus log collections/processing.
> 
> Any tip ? 
> 
> To start I would like to concentrate on 3 DMZ subnets,
> 
> I tried to force Argus to only check 3 networks but it didn't work - strange as it is a correct tcpdump filter :  
> argus -P 561 -d -i eth1.700 -w /var/tmp/traces-lab.argus-2011 'net  172.24.251 or net 172.24.252 or net 172.24.111'
> 
> The man-page states expression is a tcpdump(1) expression .. so it should work.
> 
> Any idea/feedback will be really appreciated 
> 
> Thanks, 
> 
> Steph
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110214/1537705b/attachment.bin>


More information about the argus mailing list