Unifix knowledge database - The original one

Dashboard - News - Search - List - About - Admin


Argus monitor and keep trail of trafic

Author:mike - Sat Jul 10 04:28:10 2004

Use Argus to monitor your network and to keep an audit trail of your traffic.

Wouldn't it be nice if you could keep a complete record of everything that happened on your network? It would certainly help to track down problems and would be invaluable in the event of a security incident, but it would just take up too much space to keep all of that data around. The next best thing would be to keep a log of all the packets, but not actually keep the data. You can do this with Argus (http://www.qosient.com/argus/).

Argus, or the Audit Record Generation and Utilization System, is a tool that can log network transactions in a variety of ways and can even collect performance metrics on every connection that it is able to see. Argus also contains several utilities that can make queries against the logs, so you can easily extract the information you need. These tools allow you to generate ASCII-, RMON-, or XML-formatted information from an Argus log file. Argus also provides a Perl interface for accessing its log files, so you can easily write custom scripts to make use of the data it collects.

To set up Argus, you'll first need to download the source distribution and unpack it. Then change into the directory that it creates:

$ tar xfz argus-2.0.5.tar.gz

$ cd argus-2.0.5

To compile Argus, run this command:

$ ./configure && make

After compilation has finished, you can install Argus by becoming root and running this command:

# make install

To get a quick demo of Argus, run it and then let it collect some data for a little while:

# argus -d -e `hostname` -w /tmp/arguslog

This command will start argus in daemon mode and have it write its logs to /tmp/argus.

After letting it collect some data, try querying it with the ra command. This will show you an ASCII representation of the packets that argus has logged:

$ ra -r /tmp/arguslog

12 Jan 04 05:42:48 udp plunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT

12 Jan 04 05:43:09 udp 192.168.0.250.snmptrap -> 255.255.255.255.snmptrap INT

12 Jan 04 05:43:15 udp print.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm INT

12 Jan 04 05:43:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT

12 Jan 04 05:43:28 nvl 0:c0:2:57:98:79 -> Broadcast INT

12 Jan 04 05:43:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT

12 Jan 04 05:43:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT

12 Jan 04 05:44:19 udp kryten.nnc.56581 -> 255.255.255.255.2222 TIM

12 Jan 04 05:43:34 udp sunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT

12 Jan 04 05:44:08 arp plunder.nnc who-has sirius.nnc INT

12 Jan 04 05:44:08 udp plunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT

12 Jan 04 05:44:15 udp print.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm INT

12 Jan 04 05:45:06 udp sunder.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm TIM

12 Jan 04 05:40:26 man pkts 734 bytes 75574 drops 0 CON

12 Jan 04 05:44:28 nvl 0:c0:2:57:98:79 -> Broadcast INT

12 Jan 04 05:44:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT

12 Jan 04 05:44:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT

12 Jan 04 05:44:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT

12 Jan 04 05:45:08 udp plunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT

12 Jan 04 05:45:09 tcp kryten.nnc.54176 ?> colossus.nnc.ssh EST

12 Jan 04 05:45:15 udp print.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm INT

This is just a few minutes of logs from one host, but it is stored in a very compact manner. In fact, during testing, a whole day's worth of logs consumed only 1.4 MB!

The ra command can also take tcpdump-style filters so that you can query the logs for packets that match a specific host, protocol, port, or any number of other characteristics.

For instance, if you wanted to query the logs for all packets sent either to or from the host named kryten, you could used a command similar to this one:

$ ra -r /tmp/argus - "host kryten"

12 Jan 04 09:26:34  udp  kryten.nnc.55689  ->  255.255.255.255.2222  TIM

12 Jan 04 09:26:36  tcp  kryten.nnc.54176  ?>  linux-vmm.nnc.ssh  EST

12 Jan 04 09:27:37  tcp  kryten.nnc.54176  ?>  linux-vmm.nnc.ssh  EST

12 Jan 04 09:28:34  udp  kryten.nnc.55691  ->  255.255.255.255.2222  TIM

12 Jan 04 09:28:05  icmp  kryten.nnc  <->  linux-vmm.nnc  ECO

12 Jan 04 09:28:06  icmp  kryten.nnc  <->  linux-vmm.nnc  ECO

12 Jan 04 09:29:06  tcp  kryten.nnc.54176  ?>  linux-vmm.nnc.ssh  EST

12 Jan 04 09:30:34  udp  kryten.nnc.55692  ->  255.255.255.255.2222  TIM

12 Jan 04 09:32:34  udp  kryten.nnc.55693  ->  255.255.255.255.2222  TIM

12 Jan 04 09:33:06  tcp  kryten.nnc.54176  ?>  linux-vmm.nnc.ssh  EST

12 Jan 04 09:34:34  udp  kryten.nnc.55694  ->  255.255.255.255.2222         

12 Jan 04 09:53:44  tcp  kryten.nnc.54176  ?>  linux-vmm.nnc.ssh  EST

You can also generate a new Argus log file containing only the results of your query by using the -w option to ra and specifying a file to write the results to.

To get XML output from Argus, you can use the raxml utility to make queries, much in the same way as you can with ra. For instance, here's the first record returned by using the previous query for all packets that matched the hostname of kryten:

$ raxml -r /tmp/arguslog - "host kryten"

<ArgusFlowRecord  ArgusSourceId = "192.168.0.41" SequenceNumber = "3" 

 Cause = "Status" StartDate = "2004-01-12" StartTime = "09:25:26"

 StartTimeusecs = "319091" LastDate  = "2004-01-12"  

 LastTime = "09:25:32"  LastTimeusecs = "521982"

 Duration = "6.202891" TransRefNum =  "0">

    <MACAddrs SrcAddr = "0:a:95:c7:2b:10" DstAddr = "0:c:29:e2:2b:c1" />

    <Flow> <IP SrcIPAddr = "192.168.0.60" DstIPAddr = "192.168.0.41" 

     Proto = "tcp" Sport = "56060" Dport = "22" IpId = "27b8" /> </Flow>

    <FlowAttrs SrcTTL = "64" DstTTL = "64" SrcTOS = "10" DstTOS = "10" />

    <ExtFlow> <TCPExtFlow TCPState = "EST" TCPOptions = "TIME" 

     SynAckuSecs = "0" AckDatauSecs = "0" >

              <TCPExtMetrics  SrcTCPSeqBase = "4204580547" 

               SrcTCPAckBytes = "527" SrcTCPBytes = "528" 

               SrcTCPRetrans = "0" SrcTCPWin = "65535" SrcTCPFlags = "PA"

               DstTCPSeqBase = "3077608383" DstTCPAckBytes = "1135"

               DstTCPBytes = "992" DstTCPRetrans = "0" DstTCPWin = "9792"

               DstTCPFlags = "PA" />

              </TCPExtFlow>

    </ExtFlow>

    <Metrics SrcCount = "24" DstCount = "17" SrcBytes = "2112" 

     DstBytes = "2258"  SrcAppBytes = "528" DstAppBytes = "1136" />

  </ArgusFlowRecord>

As you can see, Argus keeps track of much more information than it would seem if you were just going by the output generated by ra. This is where Argus really shines, because it can store such a large amount of information about your network traffic in a small amount of space. In addition, Argus makes it easy to convert this information into other formats, such as XML, which makes it easy to write applications that can understand the data.
Copyright(c) Unifix.org 2002-2011


Dashboard - News - Search - List - About - Admin
 
Powered by Mikjaer Consulting Solutions - Hosted by Specialhosting.dk