•    getting started
•    examples
•    anonymization
•    archives
•    argus and netflow
•    audit systems
•    databases
•    filters
•    flow-tools
•    geolocation
•    processing packets
•    routing
•    sensor performance
•    visualization

•    credits
•    license
•    to-do list

•    faq
•    how-to
•    manuals
•    copyright
•    changes

•    registration
•    mailing lists

News Archives

Wed Jun 20 10:54:19 EDT 2012 – Refreshed Argus-3.0.6.1 - Error corrected

A fatal omission was discovered in yesterday's release of argus, causing argus to reject remote connections and not send any data. This was the result of a faulty build process at the time of final release. We have corrected the problem, and we have re-released argus-3.0.6.1, to correct the error. If you downloaded argus on Tue, please download it again. The argus-clients code is unaffected by this error. We are very sorry for the inconvenience.

Tue Jun 19 12:10:31 EDT 2012 – New Argus-3.0.6.1 Now Available

Bug fixes for the new Argus-3.0.6 and its accompaning clients distribution are now available and are the current set of stable code. These fixes correct memory leak and deadlock issues for argus and radium, and so upgrading to these new stable releases is recommended, especially if you are experiencing problems. Argus and radium also get some protection from port scanners, that use up the available listen ports for attachment. The client release also fixes a number of bugs with geolocation data, especially country code aggregation and printing. We also fixed meta-data label merging, multicast identification, and some minor issues with variable namespace collisions. Please see the distribution ./ChangeLog files for specific change descriptions.

You didn't miss argus-clients-3.0.6.1, as that version number was used during testing of the fixes distribution process scripts. With this release we are providing new source tarfiles, as well as patch files.

Consider argus-3.0.6.1 and argus-clients-3.0.6.2 major bug fix releases. We highly recommend that you upgrade your argus sensor and the client programs.

Tue Apr 03 16:09:15 EDT 2012 – Argus-3.0.6 Release Candiates Available

Argus-3.0.6 and its accompaning clients distribution are near release. Release candidates are now available on the developers site. The big changes from argus-3.0.4 are flow-tools support, new metrics, expanded argus events processing, more control plane monitoring support and documentation. And of course its a huge bug fix fest. argus-3.0.6.0.rc1 and argus-clients-3.0.6.0.rc1 are the release candidates, and they are ready for testing and regression tests. Changes to the web site are now complete, providing more example, sample data and up to date documentation.

Please take a look and comment on the email list.

Wed Mar 14 9:50:31 EDT 2012 – Argus-3.0.6 Release Soon

We're frantically working to get argus and its clients ready for the 3.0.6 release, and things are coming along. The big changes from argus-3.0.4 are flow-tools support, new metrics, exanded argus events processing, more control plane monitoring support and documentation. And of course its a huge bug fix fest. If you would like to get started early, argus-3.0.5.11 and argus-clients-3.0.5.35 are the latest release candidates, and they seem to be ready to go. We're also making changes to the web site to provide more examples and up to date documentation.

Please take a look and comment on the email list.

Mon Nov 07 12:04:55 EST 2011 – Argus and FloCon 2012

I will be giving a 1/2 day tutorial at FloCon 2012 this year, entitled "From Packet to Alarm: Real Time Situtational Awareness using Argus", which will trace how the Argus architecture and tools support this type of awareness. I'm also going to give a presentation on behavior monitoring metrics that are in the new argus-3.x source code, describing packet dynamics sensing in Argus. We are also planning to hold at least on BOF on database support for large scale flow processing, so please consider coming to Austin, Tx, Jan 9-12, 2012, to talk about argus.

Thu Nov 03 18:18:43 EST 2011 – Argus 3.0.6 Release Preparation

The latest development version of argus, argus-3.0.5, and its clients are stable and we will be releasing its as argus-3.0.6 very soon. In this release cycle, the focus was on maturing client programs, and introducing new client features. Changes in 3.0.6 include a number of client program improvements to ra(), so that it deals with stdout closing quicker, ratop() issues with screen refreshing, racluster() better merging with CIDR address specifications, rapath() has more options on how to represent nodes, and bug fixes for rasplit(), ra() and ./configure. Issues like better CIDR address filtering and printing, use of compression, better time error recovery, and mysql auto-reconnect fixes, just to name a few of the changes.

The new features include flowtools support based on flow-tools-0.68.5.1, the current release from google code. Efforts to process sflow data and netflow V9 is progressing well, but will be deferred to the argus-3.0.7 development and argus-3.0.8 release cycle. Sorry about that.

We have restructured the clients distribution to provide a bit of order to the distro. This is evident in argus-3.0.5.23.tar.gz, which is now available on the development server. Please take a look and comment on the email list.

Fri May 16 11:00:21 EST 2011 – Argus 3.0.5 Progressing

The latest development version of argus, argus-3.0.5, and its clients are progressing, with a number of bug fixes and new features. In this version, while we're still fixing bugs, the focus is on maturing client programs, and introducing new client features. Changes in 3.0.5 include a number of client program improvements to ra(), so that it deals with stdout closing quicker, ratop() issues with screen refreshing, racluster() better merging with CIDR address specifications, rapath() has more options on how to represent nodes, and bug fixes for rasplit(), ra() and ./configure. Issues like better CIDR address filtering and printing, use of compression, better time error recovery, and mysql auto-reconnect fixes, just to name a few of the changes.

Stable versions of the new code will be released as argus-3.0.6, hopefully within 6-10 weeks, but if you need fixes to your existing client deployments, consider argus-3.0.5 code, if you're into the experimental.

Fri Mar 11 13:41:48 EST 2011 – Argus 3.0.4 Released

Argus 3.0.4 and its clients are now available. Changes for 3.0.4 include enhanced multi-threaded support, new interface specification in the /etc/argus.conf, richer wireless monitoring support, argus events, UDP transport and native multicast transport of flow records, and new metrics, including keystroke identification in TCP traffic. And of course a very large number of bugs have been fixed, as reported to the developers mailing list.

Client support includes major improvements and modifications to ratop(), re-introduction of ragrep(), new URL style specifications for "-r" and "-w " options, enhanced database functionality, the addition of raservices() and rauserdata() for processing/analyzing user data buffers, raconvert() to change ascii text to argus binary records, and a full set of man pages.

Please transition to these new versions, and if you have any issues at all, don't hesitate to contact us !!!!

Fri Mar 04 11:13:25 EST 2011 – SSH Keystroke Detection - Behavioral Monitoring

We are introducing in argus-3.0.4 a new Argus metric designed to report behavior in flow data; the ARGUS_BEHAVIORAL_DSR. For the first effort, we've implemented a published algorithm for detecting keystrokes within encrypted SSH on any port. This is the result of a successful collaboration with researchers at Stanford and Purdue who are supported by grants from the National Science Foundation and the Multidisciplinary University Research Initiative of the DoD. For those interested, the paper will appear in the Proceedings of the INFORMS Computer Society 2011 annual meeting. A copy of the paper is available at Purdue, and there is a YouTube video that describes the basic algorithm.

You turn on this feature using the new ARGUS_KEYSTROKE variable in /etc/argus.conf file. The options are well described in the sample argus.conf provided in the distribution. When argus is applying the algorithm to a flow, it will insert an ARGUS_BEHAVIORAL_DSR in the flow status record. The DSR will identifiy the algorithm, and any metrics/analytics/intermediate results that it has developed at the time of the status record. In the case of keystroke detection, it will report the source and destination "nstrokes". Argus-3.0.3.23 has the implementation and the latest argus-clients-3.0.3.23 has complete support for the printing, filtering, aggregating, graphing and labeling based on the new metric. The code is currently in operation at Stanford and Purdue Universities.

Please take a look at the paper and give the new features a try. Hopefully this new support will be the first of a large number of new security and performance behavioral monitoring extensions to Argus flow monitoring.

Fri Jan 14 12:36:20 EST 2011 – FloCon 2011

FloCon 2011 in Salt Lake City was great!! Lots of good things going on in the network data flow area, so definately take a look at the web site. I'll be posting my tutorial slides here in a few weeks, under our Documenation section.

We're back at getting argus-3.0.4 out the door, so if you're having any problems with the current development versions of argus and argus-clients, be sure and yell on the mailing list, so we can get them fixed before release.

2011 is going to be the year for flow data processing, now that the database and archive support is doing well. We will be releasing an argus development environment for Mac OS X in 2011, Cocoa and OpenGL based that will attempt to bring together the best flow data analytics to a common platform. We currently have a full Mac OS X Finder environment, as well as a complete OpenGL Scene Graph environment for Argus Data, which I'll be packaging up after the 3.0.4 release. If this is of interest to you, please join the developer's mailing list, and send mail asking for the Mac OS Argus platform.

Hope everyone had a great 2010 and that 2011 works for you!!!!

Tue Jul 6 18:37:21 EDT 2010 – Argus and TieT

We have finished the first phase of link-state routing protocol analytic support for argus, which means the latest argus and latest argus-clients now work with the TieT project, an ISIS audit analytics system. TieT can be used to visualize topology, detect misconfigurations, flapping, bugs and performance problems, and in conjuction with multi-site deployments of argus, you can get global routing metrics and routing advertisement attribution. TieT was written by Tony Przygienda, a past chair of the IETF IS-IS working group, and it is a perfect example of how advanced flow data strategies can drive new network operations, performance and security applications for large enterprise and WAN networks. TieT is in Beta, and if you have any interest in control plane situational awareness and link-state routing protocol analysis, this is a great project to get started.

Wed Jun 2 15:49:12 EDT 2010 – Argus and UDT

As a part of the transition of Gargoyle technology to Argus, I have ported UDT transport flow monitoring to argus-3.0.3.11, which should be stable with the release of argus-3.0.4 in a few weeks. UDT, developed at the National Center for Data Mining, is an important new transport protocol, one we used at SC'09 to win the Bandwidth Challenge, and Argus now supports throughput, goodput, loss, jitter and window advertisement reporting for UDT over UDP and UDT over Ethernet. At the Naval Research Lab, we used argus, generating UDT flow status records every 10 milliseconds, to analyze UDT transport efficieny at 10Gbps, and this helped us find a few bugs. If you're running a big Cloud or a supercomputer site, you should be working with UDT!!!

Fri Mar 26 12:34:40 EDT 2010 – Argus and Infiniband

As a part of the transition of Gargoyle technology to Argus, we would like to announce that we will be supporting Infiniband flow monitoring in argus-3.0.4, to be released in the May/June timeframe. Argus will support flow monitoring for the new emerging RoCEE standard, established by the OpenFabrics Alliance, to enable Infiniband transport over Ethernet. Infiniband has emerged as a serious LAN, MAN and WAN transport technology, and with these new standards efforts, Infiniband over Ethernet in the carrier network, as well as Infiniband to the desktop, will become a significant part of the emerging Cloud client architecture.

I'll start a 'Using Argus' page specifically for Infiniband in the coming weeks.

Fri Mar 19 10:12:27 EDT 2010 – Argus-3.0.3 available for developers

Argus-3.0.2 is stable the mailing lists are quiet, and its a beautiful spring like day in New York City.

Be sure and checkout the Argus Wiki, as there has been some new additions that desribe tools and techniques that should be useful to everyone!!

Work on the todo list is progressing!!! Client software will be the topic for a while, as I'll be adding new clients programs to argus-3.0.3 in the next 2 weeks. We've brought back ragrep(), to deal with regular expressions that are too large for the command line, and the new program now supports a good number of the traditional grep() options. Man page is included in the new developers release pacakge. If anyone has a need for additional grep() like features, such as 'before-context' or 'after-context' options, just send email to the developers list!!

Argus archive management, and analysis tool development is high on the list of things to do, and one focus is to continue describe the features and technology around the MySQL database support. Of particular interest to the security community has been beacon detection, where you want to know if a host on the inside "chirps" to an external address. You can detect this readily with argus data, and we'll be developing a database schema and some simple tools that do this on the developers mailing list.

Should be fun!!!!