Argus on Security Onion

David Edelman dedelman at iname.com
Sat Aug 10 22:36:40 EDT 2013


I've spent a little bit of time playing with the Security Onion distribution
and it's pretty good. Of course, it doesn't use the Argus development code
branch (I'll fix that on my copy :) ) and it is very basic in its approach
to the way it deals with Argus data. It creates a single output file per day
and there aren't any options that I have been able to find to change that.

I do know how Argus gets started (and restarted) and I'll just modify that
to check for the availability of an argus.conf file. If the file exists,
I'll use it otherwise I'll use the BFI (Brute Force and Ignorance) mechanism
that already exists. SO makes extensive use of MySQL so I don't see any
reason to not use the
argus->radium->rastream/rasqlinsert-1/rasqlinsert-2/whatever approach. I
promise to keep the BPF stuff at the end of my command lines.

I'll let you know  if I see folks with torches coming my way.

--Dave

-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Saturday, August 10, 2013 9:06 PM
To: David Edelman
Cc: Argus
Subject: Re: Argus Client Command Line Arguments

Well, I'm a much better programmer than I thought ;O)
I don't expect it to work on all systems, so we'll have to
keep an eye on bug reports !!!

Carter

On Aug 10, 2013, at 8:21 PM, "David Edelman" <dedelman at iname.com> wrote:

> I did a few more tests and it seem that the mid line  filter is being
> recognized correctly my 64-bit on FC 18 system.
> 
> --Dave
> 
> 
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Saturday, August 10, 2013 10:02 AM
> To: David Edelman
> Cc: Argus
> Subject: Re: Argus Client Command Line Arguments
> 
> Hey Dave,
> I think that this is incorrect, as a single - should be end of parameters
> and the beginning of the filter.  But getopt() on some Linux machines is
> using -- as a terminating condition now, which seems new(er) and may
compel
> us to move to a double -- in our documentation.
> 
> The real question is " does the filter work "?  On many systems
> it won't get parsed as a filter expression, as getopt() may see
> them as options to pass to the getopt() parameter parser.
> Our current logic is, anything after parsing options, pass as a filter.
> 
> So this is not as it was intended...
> So how did you like is Richard's book ???
> 
> Carter
> 
> On Aug 9, 2013, at 7:03 PM, "David Edelman" <dedelman at iname.com> wrote:
> 
>> Carter,
>> 
>> In Richard Bejtlich's new book he does include examples of using Argus
and
>> some of the clients but he consistently puts the BPF filter arguments in
> the
>> middle of the argument string preceded by the isolated minus sign e.g.:
>> # racluster -r filename.argus - tcp  and src port 80  -s +sappbytes 
>> 
>> I just attempted to do that on one of my systems and it does work. Is
this
>> intended behavior that will be supported over the long term? I had always
>> considered the isolated minus sign as terminating option string
> processing.
>> If it is actually a non-terminal  escape from option processing  then the
>> current use makes sense.
>> 
>> --Dave
> 
> 




More information about the argus mailing list