[ARGUS] argus-clients JSON output
Darren S.
phatbuckett at gmail.com
Sat Aug 28 04:03:26 EDT 2021
On Fri, Aug 27, 2021 at 12:06 AM Darren S. <phatbuckett at gmail.com> wrote:
>
> OpenBSD 6.9 amd64
> argus-3.0.8.2 (argus-3.0.8.2p2 OS package)
> argus-clients-3.0.8.3
>
> I'm interested in leveraging future JSON output from argus-clients to
> support a streaming analytics workflow, and noted that
> argus-clients-3.0.8.3 was in need of testing [1].
>
> argus-clients build commands:
>
> ./configure --prefix=/usr/argus --with-libft=yes --without-mysql
> --without-GeoIP --without-sasl
> make CCOPT="-I/usr/local/include" COMPATLIB="-lm -lz -L/usr/local/lib -lft"
>
> With these options I got a partially successful build, enough to
> produce an ra(1) binary to test. (The complete output of the build is
> at [2], if there are suggestions to complete a build without error. I
> could have botched the options passed to configure script or make,
> just trying to mimic the OS port [3]).
>
> I did a little basic testing with ra(1) and got JSON output as expected:
>
> $ /usr/argus/bin/ra -M json -nr test.argus -- 'dst port 443'
> { "type":"flow","stime":"06:01:03.612223","flgs":" e
> ","proto":"tcp","saddr":"x.x.97.55","sport":46984,"dir":"<?>","daddr":"44.234.221.91","dport":443,"pkts":"4","bytes":"295","state":"FIN"}
> { "type":"flow","stime":"06:01:03.616187","flgs":" e
> ","proto":"tcp","saddr":"x.x.97.55","sport":23157,"dir":"
> ->","daddr":"44.234.221.91","dport":443,"pkts":"17","bytes":"9322","state":"CON"}
> { "type":"flow","stime":"06:01:08.991243","flgs":" e
> ","proto":"tcp","saddr":"x.x.97.55","sport":23157,"dir":"
> ->","daddr":"44.234.221.91","dport":443,"pkts":"7","bytes":"4114","state":"CON"}
> { "type":"flow","stime":"06:01:14.546578","flgs":" e
> ","proto":"tcp","saddr":"x.x.97.55","sport":5862,"dir":"
> ->","daddr":"44.234.221.91","dport":443,"pkts":"20","bytes":"11358","state":"CON"}
> { "type":"flow","stime":"06:01:15.087293","flgs":" e
> ","proto":"tcp","saddr":"162.142.125.20","sport":50643,"dir":"
> ->","daddr":"x.x.97.55","dport":443,"pkts":"1","bytes":"58","state":"REQ"}
>
> ...and validated that it loaded/parsed correctly in jq(1), as an
> example. If I'm not mistaken, the output of 'ra --help' doesn't yet
> document the 'json' option. There's an unexpected space after the
> opening '{' of the record. This seems promising!
>
> [1] https://qosient.com/argus/src/argus-clients-3.0.8.3.tar.gz
> [2] https://pastebin.com/raw/0uGTR7iv
> [3] https://github.com/openbsd/ports/blob/master/net/argus-clients/Makefile
Further details:
### /etc/argus.conf
ARGUS_FLOW_TYPE=Bidirectional
ARGUS_FLOW_KEY=CLASSIC_5_TUPLE
ARGUS_DAEMON=yes
ARGUS_MONITOR_ID=`hostname` // IPv4 address returned
ARGUS_ACCESS_PORT=561
ARGUS_BIND_IP="::1,127.0.0.1"
ARGUS_INTERFACE=vio0
ARGUS_GO_PROMISCUOUS=yes
#ARGUS_CHROOT_DIR=/var/empty
ARGUS_SETUSER_ID=_argus
ARGUS_SETGROUP_ID=_argus
ARGUS_SET_PID=no
ARGUS_FLOW_STATUS_INTERVAL=5
ARGUS_MAR_STATUS_INTERVAL=300
#ARGUS_IP_TIMEOUT=30
#ARGUS_TCP_TIMEOUT=60
#ARGUS_ICMP_TIMEOUT=5
#ARGUS_IGMP_TIMEOUT=30
#ARGUS_FRAG_TIMEOUT=5
#ARGUS_ARP_TIMEOUT=5
#ARGUS_OTHER_TIMEOUT=30
#ARGUS_DEBUG_LEVEL=0
ARGUS_GENERATE_TCP_PERF_METRIC=no
#ARGUS_FILTER=""
The failure initially described (ArgusOpenInterface vio0: (cannot open
BPF device): No
such file or directory) occurs when ARGUS_CHROOT_DIR=/var/empty is
activated. When this option is not set, argus runs without issue. Does
opening the BPF device fail when chroot'd?
--
Darren Spruell
phatbuckett at gmail.com
More information about the argus
mailing list