Can Argus output data in Netflow format?

Jaime Nebrera jnebrera at eneotecnologia.com
Tue Jan 28 03:45:00 EST 2014


   Hi Craig, let me clarify this a bit as a part involved :)

   As you say, redBorder 3.0 is going to have a specific plugin for 
Netflow based data, but this would be a narrow view of what we plan for 
redBorder.

   In essence, redBorder is becoming a "message bus" system designed to 
manage IT operations in real time and in full scale out. This bus is 
Apache Kafka based and currently includes an OLAP storage engine 
(extremely fast but works in aggregated data only) and a hadoop storage 
(for cases were we need RAW data). There is a pretty and slick interface 
to manage all this. Next release will focus on correlation / 
intelligence. The software has attracted quite a bit of interest from 
big players, but still in very early phases of real business. For 
example, its going to be a central piece in Cisco Booth at MWC Barcelona 
2014, monitoring in real time what is going on in the network.

   Now, what data do you inject into the system? We have two alternatives:

   1) Directly injecting Apache Kafka messages into our bus. This is 
what we do with Snort for example as we modified Barnyard2 to do so (and 
open source it btw). We plan to do the same with other open source apps, 
like prads / nmap (for inventory detection), openvas (for vulnerability 
detection), etc

   2) To support legacy applications you employ one of our "bridges" 
that will translate a legacy formated message into a brand new apache 
kafka one. This is what we do with Netflow, and in the near future we 
hope to do the same with syslog and SNMP

   Of course it would be great to have all "native" but there is a lot 
of "legacy" out there we need to cover

   Ok, I understand this, how about Argus?

   We believe Argus is a great piece of software and for sure it has 
been in our radar screen since a long time ago, but at the same time, we 
dont have a direct interest into working with it. Why? Mainly because it 
requires a "probe" and we are kind of trying to get ourselves "out of 
probes" and we still cant place it in our picture. For example, our 
company worked with a software netflow probe since 2004, and now we dont 
have it, we just work "with others", in particular with Cisco's 
(Felxible Netflow, AVC) but also things like Palo Alto or Sonicwall 
(yes, we are particulary interested in security apps that are able to 
send you l7 information on the application as part of the netflow 
package). How about the IPS then? Well, the IPS is directly funded by a 
client :D

   I guess the particular case of Argus is just a matter of funding. We 
are very open to include it as for sure is a mature and very interesting 
piece of software, its in the "realm" of security / monitoring that we 
are targeting, but we honestly dont have the resources nor spare time to 
tackle this directly without some "push" :D We would love to work with 
qosient team to get this job done, honestly.

   The case of IPS was a direct sponsorship by a client. Flow goes along 
the same road, even when in the case we betted a bit ourselves doing the 
first prototype on our own. We have enquires from clients to work on 
malware, DDoS mitigation, log management, traffic capture, load 
balancing / geo DNS, firewalling, and a long etcetera, but our position 
is clear, unless we get funding, we work only on those of them that we 
view as our core (right now, log management, DDoS and correlation 
besides the already IPS and Flow)

   What do you think?

On 27/01/14 23:30, Craig Merchant wrote:
>
> Actually, Jamie Nebrera, their CTO, posted here a couple weeks ago.  
> So, they're definitely considering it.  I've been encouraging them too.
>
> Their upcoming 3.0 release has a REST API...  So, I may use Netflow 
> for just simple flow metrics that Splunk can query from their API 
> (saving me license costs) and run Argus for my security analysis.  I'm 
> not willing to give up the keystroke detection inside of encrypted 
> tunnels...
>
> C
>
> *From:*Carter Bullard [mailto:carter at qosient.com]
> *Sent:* Monday, January 27, 2014 1:11 PM
> *To:* Craig Merchant
> *Cc:* Argus
> *Subject:* Re: [ARGUS] Can Argus output data in Netflow format?
>
> Hey Craig,
>
> No plans to do that.  Argus is all about new methods,
>
> new metrics, and innovation in flow technology.
>
> Not sure its anyones advantage for argus to step backwards.
>
> Why not get the redBorder IDS solution to support argus sensors.
>
> Much better business proposition for the argus project.
>
> Carter
>
> On Jan 27, 2014, at 4:00 PM, Craig Merchant <cmerchant at responsys.com 
> <mailto:cmerchant at responsys.com>> wrote:
>
>
>
> Hey, Carter...  I hope 2014 is treating you well.
>
> Is there any way to make Argus output records in a Netflow format?  
> The next release of the redBorder IDS solution that we use is going to 
> have support for nprobe sensors, but only using the Netflow protocol.  
> I was just curious if there was a way to make Argus output its records 
> in a way that could be consumed by nprobe...
>
> Thanks!
>
> Craig
>


-- 
Jaime Nebrera - jnebrera at eneotecnologia.com
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140128/ad10b24c/attachment.html>


More information about the argus mailing list