Auditing Network activity : Argus to help to prepare a Firewall Flow Matrix

arcangel at free.fr arcangel at free.fr
Fri Feb 25 06:08:04 EST 2011 

HI Carter, 

Thanks for your detailed answer. 
I've started some tests with argus-3.0.3.22. 

As an "Argus beginner" I've trouble to understand the "summary network flow data" format used. 
Did I miss some documentation ? 
I understood - by using an rarc with RA_PRINT_LABELS=0 - that the default format, not clearly explained in the man-pages for -s ,  in use is :
 StartTime    Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State

What are the whole list of Flgs (e,s,r,U,*,i) / State (CON,REQ,FIN,ECO,INT,RST,TIM ...) values with explanations ? 

Concerning my filter problem your answer solved my issue : I now use 
argus -w /var/tmp/traces-lab.argus -P 561 -i eth1.700 -d 'net  172.24.251 or net 172.24.252 or net 172.24.111'
to just consider 3 subnets. 

However, I discovered some Argus infos about flows with devices outside these 3 subnets :
ra -r  /var/tmp/traces-lab.argus    | grep  10.65  | grep -v 172.24  | tail 

11:39:23.163358  *        sctp      10.162.82.190          <->       10.65.105.17               8        720   CON
11:39:27.780617  *        sctp      10.162.82.189          <->       10.65.105.17               8        720   CON
11:39:29.163261  *        sctp      10.162.82.190          <->       10.65.105.17              12       1136   CON
11:39:33.780702  *        sctp      10.162.82.189          <->       10.65.105.17              10        900   CON
11:39:35.163281  *        sctp      10.162.82.190          <->       10.65.105.17               8        720   CON

How is it ? 

I decided to split the Argus data stored on a daily basis using : 
rasplit -r traces-lab.argus -M time 60m -w "/archive/%Y/%m/%d/argus.%H.%M.%S" 

I now need to play with racluster :)

Thanks,

Stéph

PS : 
Without  libncurses5-dev installed on a test machine running Ubuntu 10.10, ratop cannot be build with the following errors :

make[1]: Entering directory
`/media/data/SOFTWARE/linux/Argus/argus-clients-3.0.3.22/ratop'
gcc -O3 -I. -I../include -I../common  -DHAVE_CONFIG_H -c ./ratop.c
./ratop.c:1204: error: expected identifier or '(' before '}' token
./ratop.c: In function 'RaHighlightDisplay':
./ratop.c:1228: error: 'RaWindowStartLine' undeclared (first use in
this function)
./ratop.c:1228: error: (Each undeclared identifier is reported only once
./ratop.c:1228: error: for each function it appears in.)
./ratop.c:1228: error: 'RaDisplayLines' undeclared (first use in this function)
./ratop.c:1234: error: 'ArgusPrintRank' undeclared (first use in this function)
./ratop.c:1235: error: 'RaWindow' undeclared (first use in this function)
./ratop.c:1236: error: 'A_REVERSE' undeclared (first use in this function)
make[1]: *** [ratop.o] Error 1

More information about the argus mailing list