a report from FloCon 2013

Carter Bullard carter at qosient.com
Thu Jan 10 11:30:40 EST 2013


Gentle people,
FloCon 2013, in Albuquerque, NM, was a really good FloCon.  Some great papers, as usual, but the conversations and dialog were really key to this years conference.  Good discussion on flow data analytics, metadata, data strategies, new problems to solve. 
It was good to see Steve Bellovin, again, and I got to talk to him at length, and I got a peek of his new book, that could be coming out later this year.  Very nice to see Steve.

As usually, FloCon was at one level, another Netflow / Argus bakeoff, with many good analytic papers using either netflow or argus data at its core.   A lot of people are very happy with argus, and there were a lot of presentations / papers that were based on argus data analysis.   Everyone should at least take a look at the papers and slides, as there are some very good ideas.

People are looking for more analytics from argus, more documentation (to the level of SiLK), and there is still a significant Argus capabilities awareness problem, even at FloCon.   There was more than one "should I use SiLK or should I use Argus" conversation.  Hopefully we can fill in more of that discussion in 2013.

The Security Onion people were here in spades.  Security Onion is very cool.   They distribute with Argus, so of course they are cool.  They are Bro heavy, now, but they could be Argus heavy, if we get involved to make it happen.

Lancope, Napatech, LYNXeon, SourceFire, and HP (Arcsight), were some of the key vendors, (sorry I didn't get a chance to talk to QOSMOS), and I talked to all of them about argus, flow, their product direction etc....  Napatech has a really nice 40G capture card, and their 4 port 10G card looks really impressive (full packet capture into a modern Intel based device).  There is a chance we can get Argus running on one of those before summer.  Not the cheapest, but a great looking piece of gear.

I'm pushing that Lancope and SourceFire should be processing argus data, and LYNXeon has some good flow graphing.   I'm hoping that they will read native argus data rather than just ascii text, but we can write ascii text into LYNXeon, now, so you may find the graphs very interesting.

There was a lot of personal interest in argus at FloCon, and many of the flow dudes and dudettes run argus on their own home systems, which I take as a project and personal achievement.   Argus is a serious tool for cyber security awareness and analysis, and FloCon 2013 reflected that notion, in spades.

OK, lots of work still to do.  More analytics, more data management technology, more documentation, more attributes, which means more work in 2013.

Hope all is most excellent,

Carter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130110/9981fd14/attachment.bin>


More information about the argus mailing list