Latest News
Tue Jan 26 10:42:31 EDT 2010 – Argus runs on Bivio!!!
Bivio announced certification of Argus on their Bivio Networks 7000 DPI Application Platform today, adding Argus to the Bivio Networks Application Library. Check out their news anouncement.
CERT's Flocon®2010 conference in New Orleans was a great success. Lots of good things presented and discussed, and the food was most excellent indeed. All the slides for each presentation is on the CERT conference web site, and everyone should take a look. Argus was well represented, with a 1/2 day tutorial on argus (slides are available), and a new technical presentation. But its always exciting when other groups present and they are either using argus in their research, or they are talking about the need for features that are either already in or scheduled to be in argus.
A new year, and new things for argus. Argus 3.0.2 is officially done, and we're now working on argus-3.0.4. The current list of formal efforts to date are:
1 |
Better multi-core support for argus and radium, to improve performance and to support new emerging vendor technologies. |
|---|---|
2 |
Improve archive management and performance. Investigate using technologies like Sector/Sphere to improve search queries against large amounts of flow data (need partners for this). |
3 |
Continue to add attributes to argus data to improve its ability to support Network Operations, Performance and Security management. In particular, to add control plane flow monitoring and host based information elements, such as user and process identifiers to flow data. |
4 |
Introduce Mac OS X visualization and data management applications into the open source code base, and to improve on our globe and our 3D visualilzation methods. |
5 |
Improve and document what we've got. |
That's the current list, and of course if you have something else that you think is more important, send them onto the developers list, and we'll hammer them out there.
The current set of source code can be grabbed from these links:
Welcome to Argus, the network Audit Record Generation and Utilization System. The Argus Project is focused on developing network activity audit strategies and prototype technology to support Network Operations, Performance and Security Management. If you look at packets to solve problems, or you need to know what is going on in your network, right now or way back then, you should find Argus a useful tool.
The Argus sensor is designed to process packets (either capture files or live packet data) and generate detailed status reports of the 'flows' that it detects in the packet stream. The flow reports that Argus generates capture much of the semantics of every flow, but with a great deal of data reduction, so you can store, process, inspect or analyze large amounts of network data in a short period of time. Argus provides reachability, availability, connectivity, duration, rate, load, good-put, loss, jitter, retransmission, and delay metrics for all network flows, and captures most attributes that are available from the packet contents, such as L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indications, etc...
Argus is used by many sites to establish network activity audits, which are then used to supplement traditional IDS based network security. These sites use contemporary IDS technology like snort and/or Bro to generate events and alarms, and then use the Argus network audit data to provide context for those alarms to decide if the alarms are real problems. In many DIY efforts, snort, Bro and argus run on the same high performance device. The audit data that Argus generates is great for network forensics, non-repudiation, network asset and service inventory, behavioral baselining of server and client relationships, detecting very slow scans, and supporting Zero day events. The network transaction audit data that Argus generates has also been used for a wide range of other tasks including Network Billing and Accounting, Operations Management and Performance Analysis.
Argus can be considered an implementation of the architecture described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and the project has actively contributed to the IPFIX effort, however, Argus technology should be considered a superset of the IPFIX architecture, providing "proof of concept" implementations for most aspects of the IPFIX applicability statement. Argus technology can read and process Cisco Netflow data, and many sites develop audits using a mixture of Argus and Netflow records.
Argus is an Open Source project and currently runs on Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX and OpenWrt and its client programs have also been ported to Cygwin. The software should be portable to many other versions of Unix with little modification. Performance is such that auditing an entire enterprise's Internet activity can be accomplished using modest computing resources.
If you are interested in participating, check out the mailing lists and sign up today! And go to the wiki, to catch up on some light reading!!!
Page Last Modified: 13:21:16 EDT 22 Jan 2010 ©Copyright 2000 - 2010 QoSient, LLC. All Rights Reserved.