Couple things...

Carter Bullard carter at qosient.com
Thu Sep 19 10:14:59 EDT 2013 

Hey Craig,
Looks like the ABR data is doing what its designed to do, and its good when a new metric can have simple direct utility, is easily understood, can be the basis of a simple alert/alarm system, and leads to simple and direct action.

So argus -> splunk -> prelert coupled together is waayyyyy more than most will need to realize that a specific IP address, or a single node within an entire enterprise has transformed from being a network consumer to a network producer.   I have to say, though, its good to see that the ABR metric can do its job within generic black box systems.

John Gerth and I are going to do a talk on ABR at FloCon in January.  You should give one as well.  You still have 2 days to submit a presentation.

   http://www.cert.org/flocon

On Sep 18, 2013, at 3:33 PM, Craig Merchant <cmerchant at responsys.com> wrote:
>  
> Couple questions for you… 
>  
> We’re using rastream and racluster to aggregate our flows every five minutes.  My understanding and from what I’ve seen in the data is that if a flow lasts for 15 minutes, I’ll only get a single record when the flow closes.  Am I incorrect?

Absolutely no, not correct.  If you aggregate 5 minute files, then you will have a flow record in each file for the activity seen from your 15 minute transaction, assuming the long transaction is active in each of the 5 minute periods.

>  When I look at the aggregated argus records for the test flow in the example above, where the SSH session stayed open for days, I’m not seeing one event every five minutes.  So, if somebody asked me “how much bandwidth are we using right now?”, it would be tricky to divide bytes by duration and project that backwards in time.

You will get a flow record only when the SSH session is active.  So if the SSH was started, and then was idle for 5 months, and then closed, you will get 2 records.  Or if it was started, after 3 months, a single character was typed, and then 2 months later, was it closed you'll get 3 records.

You'll have to describe what you are actually doing, because all the tools we provide are specifically designed to answer the question "what is going on right now".  Dividing bytes by duration is " load ", which is a metric that every record has.   It is not tricky at all.

>  
> Is there any way to make racluster write a summary record for flows that are longer than the aggregation interval that shows the summary statistics for that flow only in that window?

Read the racluster.conf man page, it describes this specific operation.
>  
> Also…  I’ve seen you use “-M RMON” in several examples on the mailing list.  What is the value of using RMON stats for analysis?
>  
Dave did a great job answering this.  


> Thanks.
> 
> Craig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130919/68812e9c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130919/68812e9c/attachment.bin>

More information about the argus mailing list