[ARGUS] Argus 3.0.8.3

Carter Bullard carter at qosient.com
Wed Nov 1 10:47:02 EDT 2023 

Hey Ming,
The simple answer is upgrade to 3.0.8.3, which will become 3.0.8.4 before the end of the year without any code changes… I haven’t had a chance to elevate 3.0.8.3 to 3.0.8.4 but right now I’m planning to uptick the version number before the end of Dec as it is.  I may be able to uptick it before the end of Nov, but no promises.

The complicated answer is that we are going to release argus-4.0 in the first quarter of 2024.  This is a promise … I’ve been talking about it for a long time, and the code has been running at Stanford and a few other sites for a few years now, so it’s time to push it out.

Argus-4.0 is a major release because we are changing the format of the basic argus flow record, and we’re putting in a lot of upgrades to key features.  The 4.0 clients will be fully backward compatible, but 3.x clients will not be able to read 4.0 data, thus the major release numbering.

Specifically, we’re changing the format of the Argus SourceID from a fixed 32-bits (which can accommodate an IP address, an integer or a 4 char string) to a struct that can also handle a UUID and an IPv6 address, and we’re extending the SourceID so that it can handle an interface identifier.  This should remove the need to allocate source id’s for sensors.   It will also let us know which interface the flow was seen.  This simple zero configuration addition is key to our approach to running argus on large numbers of endpoints in an enterprise and managing the data, so its a big deal … It will also support detecting some very interesting breakin strategies (stepping stones) simply.

We’ll have better IPv6 support, tunnel encapsulation parsing support, lots of bug fixes, better performance.

Another key additional feature is a change in how we capture packet payloads.  In argus-3.x, you configure a fixed size of payload capture.  In argus-4.0 we’ll support variable content capture based on ports, protocols, etc …. This is designed to provide full content capture for the control plane, as well as giving you the ability to capture on this protocol, not on that protocol.  The feature will specifically support capturing the full contents of ARP, DHCP, DHCPv6, DNS, mDNS protocol transactions, non-IP traffic, and we’ll provide programs to decode the captured data.  We’ve implemented passive DNS from flow data using this approach for many sites, and it has been a game changer for some enterprises.

Argus-4.0 clients will also provide Python libraries for reading and processing argus flow data.  We’ve been talking about AI/ML support, and so we’ll have this level of support in Argus-4.0.

OK, so I say upgrade now, and get ready for a big change in 2024.

Hope all is most excellent,

Carter


> On Oct 31, 2023, at 9:37 PM, Ming Fu via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hi,
>  
> I am a longtime user of argus. The current version I use is 3.0.8.1. I am planning to update the code to a newer version. What is the current recommendation to upgrade to? Looks like the 3.0.8.3 is out for a while, but still under the development status. Should I use 3.0.8.2 or 3.0.8.3?
>  
> Regards
> Ming
> _______________________________________________
> argus mailing list
> argus at qosient.com <mailto:argus at qosient.com>
> https://pairlist1.pair.net/mailman/listinfo/argus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20231101/3b848851/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1385 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20231101/3b848851/attachment.bin>

More information about the argus mailing list