[ARGUS] Argus-5.0 testing coming along well

Carter Bullard carter at qosient.com
Wed Feb 21 09:42:36 EST 2024 

Gentle people,
The testing of new argus-5.0 and argus-clients-5.0 distros has gone very well.
We’ve got excellent results on:
   Windows 10, 11 (arm and intel)
   Mac OS X  (x86_64 and Apple M 1,2,3)
   Ubuntu 23.10 (arm intel)
   RedHat Server 3.10 (intel - sorry for the old version)
   Rocky Linux 9.3 (intel)
   Debian 12 (intel)
   Kali LInux 2023.4 (intel)
   FreeBSD 14 (intel)
   CentOS Stream 9 (intel)
   Fedora 39 (intel)

The instructions to get started, for this example lets use a brand new Fedora VM .. the process is pretty easy … 
Need to get some development tools (compiler, linker, etc …), and the needed libraries.

   # dnf -y groupinstall "Development Tools"
   # dnf install automake autoconf
   # dnf install libpcap-devel libuuid-devel

Argus does need XDR (external data representation found in libtirpc), to exchange floats, 64-bit ints, etc … and for Fedora, you need an extra step ... 

  # dnf config-manager --set-enabled crb
  # dnf install libtirpc-devel

Then clone the repo, configure and make …

   % git clone https://github.com/openargus/argus-5.0
   % ( cd argus-5.0; ./configure; make clean; make )

The clients do have a few additional libraries depending on what you want to do (mysql, perl, python, etc). I recommend readline for ratop.1

    # dnf install readline-devel 
   % git clone https://github.com/openargus/argus-clients-5.0
   % ( cd argus-clients-5.0; ./configure; make clean; make )


The focus is on endpoint tests, ie how does argus run in a workstation, laptop, tablet, and so far we’re doing really well, < 0.3% cpu on average with a small memory footprint < 10MB, which is configurable.  On my Macs it runs about 120MB, but that is inflated, and still very small (Terminal uses 100MB).

The separate repo strategy is working, but we’ll want to move argus 5.0 into the main repo by summer, making argus 3.0 just a release tag in git.

There was a request to test on Oracle Linux, and I can work that up, and there is OpenBSD, VxWorks, pSOS, IRIX, and AIS if you are interested in testing, just clone the repo from https://github.com/openargus/argus-5.0, and grab the clients as well to test out the clients.
At this point we’re compiling and running.  I’ll have the systemd and initd scripts and documentation ready in a few days so that will go easily for the novice. 

Specific testing features are fair game, like control plane data capture and the passive dns capability, which is in the clients repo, but specific discussions regarding these features will be on the site in the coming weeks.

We did find an interesting issue on some Windows 10 endpoint tests which have been fixed.  When TCP Segmentation Offload is enabled on some Windows machines, outgoing TCP packets have the ip_len set to zero.  Packet length is important for the flow model classifier, so this broke TCP flow generation.  Argus ran fine, it just created Ethernet flows for the outgoing unidirectional traffic.  The return traffic was processed correctly, so you would get a weird mix of flows.

Thanks for all the interest, if there are any questions or results from your testing, definitely send to the list or to me …
Hope all is most excellent,

Carter


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20240221/fd3a32b7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1385 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20240221/fd3a32b7/attachment.bin>

More information about the argus mailing list