AUDITING NETWORK ACTIVITY

Using Argus

Getting Argus

Argus Wiki

Development

Documentation

Publications

Support

Links

News

News Archives

Wed Sept 3 12:50:47 EST 2014 – Argus-3.0.8

Argus-3.0.8 is now released as the current stable version of Argus !!! This is a major bug fix release of argus and argus-clients, with a lot of new features that enhance argus-3.0. A lot of attention has been put into client function and performance, especially to our argus data browser, ratop.1, which gets color support, argus event correlation, and performace improvements. Argus metadata labeling is a big part of the 3.0.8 release, and there is a tutorial available in the Publications site. Other tutorials are available, and we'll be adding more and more documentation now that the release is finished.

This version of argus and argus-clients has been tested out quite a bit, and in production in a number of sites for several months. There is still a lot of work to do, and this release is not perfect, of course, so if you do grab it and find anything that you consider not quite right, send email to the argus mailing list, so we can fix it.

Mon Mar 10 18:28:16 EST 2014 – Argus @ ONS

ONS MonitoringThe use of QoSient's commercial and open source technologies at the Open Networking Summit in Santa Clara, Calif. USA, was a huge success. Argus was a critical tool during the summit's SDN buildout, helping to verify the SDN controller network, and identifing problems such as access control issues, path problems, and VLAN assignment issues. And during the show, Argus provided real-time continuous monitoring of the SDN control network, and data network, to assure that the ONS SDN provided great end-to-end performance.

Argus was a hit, with some ratop() screenshots making it into the ONS2014 Daily Highlights videos, available on youtube.com. Check it out.

Argus @ ONS is the direct result of the work we've been doing with Pluribus Networks and Stanford University, at the Stanford SDN testbed, where Argus is the situational awareness technology, generating network audit data for a large portion of Stanford's network.

Tue Feb 18 12:04:27 EST 2014 – argus-clients-3.0.7.21

The newest development version of argus-clients is on the server. This version is the final clean up before release. Follow the development threads on the email list, and please download argus-clients-3.0.7.21 and give it a try. As always, if you do run into problems, please don't hesitate to send a note to the argus developers mailing list.

Argus FloCon 2014 presentations are now available from FloCon Proceedings. Be sure and checkout the Argus PCR presentation, as we show the new Producer / Consumer Ratio metric and how it can be used to detect exfiltration, even DNS convert channel based exfiltration.

Tue Jan 20 11:13:19 EDT 2014 – FloCon and argus-clients-3.0.7.19

FloCon 2014 was a great conference, with tutorials and several presentations that focused on argus. We gave a 1/2 day tutorial on Argus and Metadata for Large Scale Deployments. The opening presentation talked about the history of Network Flow Data, and argus was front and center. We presented the new PCR metric, and Gloriad's presentation of how they are using argus for global network awareness was a huge success. All presentations are, or will be, available from FloCon Proceedings, including many that we gave in prior years.

The newest development version of argus-clients is on the server. This version provides fixes for a large number of issues with label processing, and MySQL database processing support. Follow the development threads on the email list, and please download argus-clients-3.0.7.19 and give it a try. As always, if you do run into problems, please don't hesitate to send a note to the argus developers mailing list.

Work is progressing well at the Stanford SDN testbed, at Stanford University. Argus is the primary situational awareness technology for a large chunk of Stanford's campus network, and we're finding a good number of operational, performance and security relevant issues. We'll continue to work with the testbed throughout 2014.

Argus-3.0.6 is now being used to drive some really great network visualizations for GLORIAD, the advanced science interent network that connects US, Russia, China, Korea, Canada, The Netherlands, India, Egypt, Singapore and Nordic scientists with Advanced Cyberinfrastructure. Checkout the various visualizations, including GLORIAD Earth.

Thu Sep 26 23:36:27 EDT 2013 – argus-clients-3.0.7.16

The newest development version of argus-clients is on the server. This version provides fixes for a large number of issues with label processing, and MySQL database processing support. Follow the development threads on the email list, and please download argus-clients-3.0.7.16 and give it a try. As always, if you do run into problems, please don't hesitate to send a note to the argus developers mailing list.

Tue Feb 5 11:44:35 EST 2013 – argus-clients-3.0.7.5 - Netflow v9

The newest development version of argus-clients is on the server. This version provides fixes for IPv6 netflow V9 IPv6 support, has more updates for color ratop(), has new parsing engines for rapolicy() to support more ACL strategies, and fixes a number of bugs related to labels. Now all ra* clients can read netflow v1-9, and convert them to argus 3.0 records. The netflow v9 support is still in testing. So please download argus-clients-3.0.7.5 and give it a try. As always, if you do run into problems, please don't hesitate to send a note to the argus developers mailing list.

Wed Jun 20 10:54:19 EDT 2012 – Refreshed Argus-3.0.6.1 - Error corrected

A fatal omission was discovered in yesterday's release of argus, causing argus to reject remote connections and not send any data. This was the result of a faulty build process at the time of final release. We have corrected the problem, and we have re-released argus-3.0.6.1, to correct the error. If you downloaded argus on Tue, please download it again. The argus-clients code is unaffected by this error. We are very sorry for the inconvenience.

Tue Jun 19 12:10:31 EDT 2012 – New Argus-3.0.6.1 Now Available

Bug fixes for the new Argus-3.0.6 and its accompaning clients distribution are now available and are the current set of stable code. These fixes correct memory leak and deadlock issues for argus and radium, and so upgrading to these new stable releases is recommended, especially if you are experiencing problems. Argus and radium also get some protection from port scanners, that use up the available listen ports for attachment. The client release also fixes a number of bugs with geolocation data, especially country code aggregation and printing. We also fixed meta-data label merging, multicast identification, and some minor issues with variable namespace collisions. Please see the distribution ./ChangeLog files for specific change descriptions.

You didn't miss argus-clients-3.0.6.1, as that version number was used during testing of the fixes distribution process scripts. With this release we are providing new source tarfiles, as well as patch files.

Consider argus-3.0.6.1 and argus-clients-3.0.6.2 major bug fix releases. We highly recommend that you upgrade your argus sensor and the client programs.

Tue Jun 19 12:10:31 EDT 2012 – New Argus-3.0.6.1 Now Available

Argus-3.0.6 and its accompaning clients distribution are now available and are the current set of stable code. The big changes from argus-3.0.4 are flow-tools support, new metrics, expanded argus events processing, more control plane monitoring support and documentation, and of course, a huge bug fix fest. Argus-clients have a large number of changes, including a complete reorganization of the distribution code, new client programs, better documenttion, and hundreds of little improvments, usch as better CIDR address reprsenations, format specification for printing fields, so you can print IP addresses, as an example, in decimal or hex.

Consider argus-3.0.6 a major bug fix release, with a large number of new features. We highly recommend that you upgrade your client programs to get the newest capabilities.

Tue Apr 03 16:09:15 EDT 2012 – Argus-3.0.6 Release Candiates Available

Argus-3.0.6 and its accompaning clients distribution are near release. Release candidates are now available on the developers site. The big changes from argus-3.0.4 are flow-tools support, new metrics, expanded argus events processing, more control plane monitoring support and documentation. And of course its a huge bug fix fest. argus-3.0.6.0.rc1 and argus-clients-3.0.6.0.rc1 are the release candidates, and they are ready for testing and regression tests. Changes to the web site are now complete, providing more example, sample data and up to date documentation.

Please take a look and comment on the email list.

Wed Mar 14 9:50:31 EDT 2012 – Argus-3.0.6 Release Soon

We're frantically working to get argus and its clients ready for the 3.0.6 release, and things are coming along. The big changes from argus-3.0.4 are flow-tools support, new metrics, exanded argus events processing, more control plane monitoring support and documentation. And of course its a huge bug fix fest. If you would like to get started early, argus-3.0.5.11 and argus-clients-3.0.5.35 are the latest release candidates, and they seem to be ready to go. We're also making changes to the web site to provide more examples and up to date documentation.

Please take a look and comment on the email list.

Mon Nov 07 12:04:55 EST 2011 – Argus and FloCon 2012

I will be giving a 1/2 day tutorial at FloCon 2012 this year, entitled "From Packet to Alarm: Real Time Situtational Awareness using Argus", which will trace how the Argus architecture and tools support this type of awareness. I'm also going to give a presentation on behavior monitoring metrics that are in the new argus-3.x source code, describing packet dynamics sensing in Argus. We are also planning to hold at least on BOF on database support for large scale flow processing, so please consider coming to Austin, Tx, Jan 9-12, 2012, to talk about argus.

Thu Nov 03 18:18:43 EST 2011 – Argus 3.0.6 Release Preparation

The latest development version of argus, argus-3.0.5, and its clients are stable and we will be releasing its as argus-3.0.6 very soon. In this release cycle, the focus was on maturing client programs, and introducing new client features. Changes in 3.0.6 include a number of client program improvements to ra(), so that it deals with stdout closing quicker, ratop() issues with screen refreshing, racluster() better merging with CIDR address specifications, rapath() has more options on how to represent nodes, and bug fixes for rasplit(), ra() and ./configure. Issues like better CIDR address filtering and printing, use of compression, better time error recovery, and mysql auto-reconnect fixes, just to name a few of the changes.

The new features include flowtools support based on flow-tools-0.68.5.1, the current release from google code. Efforts to process sflow data and netflow V9 is progressing well, but will be deferred to the argus-3.0.7 development and argus-3.0.8 release cycle. Sorry about that.

We have restructured the clients distribution to provide a bit of order to the distro. This is evident in argus-3.0.5.23.tar.gz, which is now available on the development server. Please take a look and comment on the email list.

Fri May 16 11:00:21 EST 2011 – Argus 3.0.5 Progressing

The latest development version of argus, argus-3.0.5, and its clients are progressing, with a number of bug fixes and new features. In this version, while we're still fixing bugs, the focus is on maturing client programs, and introducing new client features. Changes in 3.0.5 include a number of client program improvements to ra(), so that it deals with stdout closing quicker, ratop() issues with screen refreshing, racluster() better merging with CIDR address specifications, rapath() has more options on how to represent nodes, and bug fixes for rasplit(), ra() and ./configure. Issues like better CIDR address filtering and printing, use of compression, better time error recovery, and mysql auto-reconnect fixes, just to name a few of the changes.

Stable versions of the new code will be released as argus-3.0.6, hopefully within 6-10 weeks, but if you need fixes to your existing client deployments, consider argus-3.0.5 code, if you're into the experimental.

Fri Mar 11 13:41:48 EST 2011 – Argus 3.0.4 Released

Argus 3.0.4 and its clients are now available. Changes for 3.0.4 include enhanced multi-threaded support, new interface specification in the /etc/argus.conf, richer wireless monitoring support, argus events, UDP transport and native multicast transport of flow records, and new metrics, including keystroke identification in TCP traffic. And of course a very large number of bugs have been fixed, as reported to the developers mailing list.

Client support includes major improvements and modifications to ratop(), re-introduction of ragrep(), new URL style specifications for "-r" and "-w " options, enhanced database functionality, the addition of raservices() and rauserdata() for processing/analyzing user data buffers, raconvert() to change ascii text to argus binary records, and a full set of man pages.

Please transition to these new versions, and if you have any issues at all, don't hesitate to contact us !!!!

Fri Mar 04 11:13:25 EST 2011 – SSH Keystroke Detection - Behavioral Monitoring

We are introducing in argus-3.0.4 a new Argus metric designed to report behavior in flow data; the ARGUS_BEHAVIORAL_DSR. For the first effort, we've implemented a published algorithm for detecting keystrokes within encrypted SSH on any port. This is the result of a successful collaboration with researchers at Stanford and Purdue who are supported by grants from the National Science Foundation and the Multidisciplinary University Research Initiative of the DoD. For those interested, the paper will appear in the Proceedings of the INFORMS Computer Society 2011 annual meeting. A copy of the paper is available at Purdue, and there is a YouTube video that describes the basic algorithm.

You turn on this feature using the new ARGUS_KEYSTROKE variable in /etc/argus.conf file. The options are well described in the sample argus.conf provided in the distribution. When argus is applying the algorithm to a flow, it will insert an ARGUS_BEHAVIORAL_DSR in the flow status record. The DSR will identifiy the algorithm, and any metrics/analytics/intermediate results that it has developed at the time of the status record. In the case of keystroke detection, it will report the source and destination "nstrokes". Argus-3.0.3.23 has the implementation and the latest argus-clients-3.0.3.23 has complete support for the printing, filtering, aggregating, graphing and labeling based on the new metric. The code is currently in operation at Stanford and Purdue Universities.

Please take a look at the paper and give the new features a try. Hopefully this new support will be the first of a large number of new security and performance behavioral monitoring extensions to Argus flow monitoring.

Fri Jan 14 12:36:20 EST 2011 – FloCon 2011

FloCon 2011 in Salt Lake City was great!! Lots of good things going on in the network data flow area, so definately take a look at the web site. I'll be posting my tutorial slides here in a few weeks, under our Documenation section.

We're back at getting argus-3.0.4 out the door, so if you're having any problems with the current development versions of argus and argus-clients, be sure and yell on the mailing list, so we can get them fixed before release.

2011 is going to be the year for flow data processing, now that the database and archive support is doing well. We will be releasing an argus development environment for Mac OS X in 2011, Cocoa and OpenGL based that will attempt to bring together the best flow data analytics to a common platform. We currently have a full Mac OS X Finder environment, as well as a complete OpenGL Scene Graph environment for Argus Data, which I'll be packaging up after the 3.0.4 release. If this is of interest to you, please join the developer's mailing list, and send mail asking for the Mac OS Argus platform.

Hope everyone had a great 2010 and that 2011 works for you!!!!

Tue Jul 6 18:37:21 EDT 2010 – Argus and TieT

We have finished the first phase of link-state routing protocol analytic support for argus, which means the latest argus and latest argus-clients now work with the TieT project, an ISIS audit analytics system. TieT can be used to visualize topology, detect misconfigurations, flapping, bugs and performance problems, and in conjuction with multi-site deployments of argus, you can get global routing metrics and routing advertisement attribution. TieT was written by Tony Przygienda, a past chair of the IETF IS-IS working group, and it is a perfect example of how advanced flow data strategies can drive new network operations, performance and security applications for large enterprise and WAN networks. TieT is in Beta, and if you have any interest in control plane situational awareness and link-state routing protocol analysis, this is a great project to get started.

Wed Jun 2 15:49:12 EDT 2010 – Argus and UDT

As a part of the transition of Gargoyle technology to Argus, I have ported UDT transport flow monitoring to argus-3.0.3.11, which should be stable with the release of argus-3.0.4 in a few weeks. UDT, developed at the National Center for Data Mining, is an important new transport protocol, one we used at SC'09 to win the Bandwidth Challenge, and Argus now supports throughput, goodput, loss, jitter and window advertisement reporting for UDT over UDP and UDT over Ethernet. At the Naval Research Lab, we used argus, generating UDT flow status records every 10 milliseconds, to analyze UDT transport efficieny at 10Gbps, and this helped us find a few bugs. If you're running a big Cloud or a supercomputer site, you should be working with UDT!!!

Fri Mar 26 12:34:40 EDT 2010 – Argus and Infiniband

As a part of the transition of Gargoyle technology to Argus, we would like to announce that we will be supporting Infiniband flow monitoring in argus-3.0.4, to be released in the May/June timeframe. Argus will support flow monitoring for the new emerging RoCEE standard, established by the OpenFabrics Alliance, to enable Infiniband transport over Ethernet. Infiniband has emerged as a serious LAN, MAN and WAN transport technology, and with these new standards efforts, Infiniband over Ethernet in the carrier network, as well as Infiniband to the desktop, will become a significant part of the emerging Cloud client architecture.

I'll start a 'Using Argus' page specifically for Infiniband in the coming weeks.

 

Fri Mar 19 10:12:27 EDT 2010 – Argus-3.0.3 available for developers

Argus-3.0.2 is stable the mailing lists are quiet, and its a beautiful spring like day in New York City.

Be sure and checkout the Argus Wiki, as there has been some new additions that desribe tools and techniques that should be useful to everyone!!

Work on the todo list is progressing!!! Client software will be the topic for a while, as I'll be adding new clients programs to argus-3.0.3 in the next 2 weeks. We've brought back ragrep(), to deal with regular expressions that are too large for the command line, and the new program now supports a good number of the traditional grep() options. Man page is included in the new developers release pacakge. If anyone has a need for additional grep() like features, such as 'before-context' or 'after-context' options, just send email to the developers list!!

Argus archive management, and analysis tool development is high on the list of things to do, and one focus is to continue describe the features and technology around the MySQL database support. Of particular interest to the security community has been beacon detection, where you want to know if a host on the inside "chirps" to an external address. You can detect this readily with argus data, and we'll be developing a database schema and some simple tools that do this on the developers mailing list.

Should be fun!!!!