AUDITING NETWORK ACTIVITY

Using Argus

Getting Argus

Argus Wiki

Development

Documentation

Publications

Support

Links

News

Latest News

Wed Jun 20 10:54:19 EDT 2012 Refreshed Argus-3.0.6.1 - Error corrected

A fatal omission was discovered in yesterday's release of argus, causing argus to reject remote connections and not send any data. This was the result of a faulty build process at the time of final release. We have corrected the problem, and we have re-released argus-3.0.6.1, to correct the error. If you downloaded argus on Tue, please download it again. The argus-clients code is unaffected by this error. We are very sorry for the inconvenience.

Tue Jun 19 12:10:31 EDT 2012 New Argus-3.0.6.1 Now Available

Bug fixes for the new Argus-3.0.6 and its accompaning clients distribution are now available and are the current set of stable code. These fixes correct memory leak and deadlock issues for argus and radium, and so upgrading to these new stable releases is recommended, especially if you are experiencing problems. Argus and radium also get some protection from port scanners, that use up the available listen ports for attachment. The client release also fixes a number of bugs with geolocation data, especially country code aggregation and printing. We also fixed meta-data label merging, multicast identification, and some minor issues with variable namespace collisions. Please see the distribution ./ChangeLog files for specific change descriptions.

You didn't miss argus-clients-3.0.6.1, as that version number was used during testing of the fixes distribution process scripts. With this release we are providing new source tarfiles, as well as patch files.

Consider argus-3.0.6.1 and argus-clients-3.0.6.2 major bug fix releases. We highly recommend that you upgrade your argus sensor and the client programs.

The current set of stable source code can be grabbed from these links:

argus-3.0.6.1

argus-clients-3.0.6.2

The Argus Project was invited to participate in the NSF's "Security at the Cyberborder Workshop", held in March, to discuss International Research Network Connections and Cybersecurity. Very interesting discussions on some rather difficult security issues. Here is the final report.

Argus-3.0.6 is now being used to drive some really great network visualizations for GLORIAD, the advanced science interent network that connects US, Russia, China, Korea, Canada, The Netherlands, India, Egypt, Singapore and Nordic scientists with Advanced Cyberinfrastructure. Checkout the various visualizations, including GLORIAD Earth.

 

Welcome to Argus, the network Audit Record Generation and Utilization System. The Argus Project is focused on developing network activity audit strategies and prototype technology to support Network Operations, Performance and Security Management. If you look at packets to solve problems, or you need to know what is going on in your network, right now or way back then, you should find Argus a useful tool.

The Argus sensor processes packets (either capture files or live packet data) and generates detailed status reports of the 'flows' that it detects in the packet stream. The flow reports that Argus generates capture much of the semantics of every flow, but with a great deal of data reduction, so you can store, process, inspect or analyze large amounts of network data in a short period of time. Argus provides reachability, availability, connectivity, duration, rate, load, good-put, loss, jitter, retransmission, and delay metrics for all network flows, and captures most attributes that are available from the packet contents, such as L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indications, etc...

Argus is used by many sites to establish network activity audits, which are then used to supplement traditional IDS based network security. These sites use contemporary IDS technology like snort and/or Bro to generate events and alarms, and then use the Argus network audit data to provide context for those alarms to decide if the alarms are real problems. In many DIY efforts, snort, Bro and argus run on the same high performance device. The audit data that Argus generates is great for network forensics, non-repudiation, network asset and service inventory, behavioral baselining of server and client relationships, detecting very slow scans, and supporting Zero day events. The network transaction audit data that Argus generates has also been used for a wide range of other tasks including Network Billing and Accounting, Operations Management and Performance Analysis.

Argus can be considered an implementation of the architecture described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and the project has actively contributed to the IPFIX effort, however, Argus technology should be considered a superset of the IPFIX architecture, providing "proof of concept" implementations for most aspects of the IPFIX applicability statement. Argus technology can read and process Cisco Netflow data, and many sites develop audits using a mixture of Argus and Netflow records.

Argus is an Open Source project and currently runs on Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt. The software should be portable to many other versions of Unix with little modification. Performance is such that auditing an entire enterprise's Internet activity can be accomplished using modest computing resources.

If you are interested in participating, check out the mailing lists and sign up today! And go to the wiki, to catch up on some light reading!!!

Page Last Modified: 11:21:34 EDT 20 Jun 2012                      ©Copyright 2000 - 2012 QoSient, LLC. All Rights Reserved.

gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.