Use Argus to monitor your network and to keep an audit trail of your traffic.
Wouldn’t it be nice if you could keep a complete record of everything that happened on your network? It would certainly help to track down problems and would be invaluable in the event of a security incident, but it would just take up too much space to keep all of that data around. The next best thing would be to keep a log of all the packets, but not actually keep the data. You can do this with Argus (http://www.qosient.com/argus/).
Argus, or the Audit Record Generation and Utilization System, is a tool that can log network transactions in a variety of ways and can even collect performance metrics on every connection that it is able to see. Argus also contains several utilities that can make queries against the logs, so you can easily extract the information you need. These tools allow you to generate ASCII-, RMON-, or XML-formatted information from an Argus log file. Argus also provides a Perl interface for accessing its log files, so you can easily write custom scripts to make use of the data it collects.
To set up Argus, you’ll first need to download the source distribution and unpack it. Then change into the directory that it creates:
$ tar xfz argus-2.0.5.tar.gz
$ cd argus-2.0.5
To compile Argus, run this command:
$ ./configure && make
After compilation has finished, you can install Argus by becoming root and running this command:
# make install
To get a quick demo of Argus, run it and then let it collect some data for a little while:
# argus -d -e `hostname` -w /tmp/arguslog
This command will start argus in daemon mode and have it write its logs to /tmp/argus.
After letting it collect some data, try querying it with the ra command. This will show you an ASCII representation of the packets that argus has logged:
$ ra -r /tmp/arguslog
12 Jan 04 05:42:48 udp plunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT
12 Jan 04 05:43:09 udp 192.168.0.250.snmptrap -> 255.255.255.255.snmptrap INT
12 Jan 04 05:43:15 udp print.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm INT
12 Jan 04 05:43:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT
12 Jan 04 05:43:28 nvl 0:c0:2:57:98:79 -> Broadcast INT
12 Jan 04 05:43:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT
12 Jan 04 05:43:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT
12 Jan 04 05:44:19 udp kryten.nnc.56581 -> 255.255.255.255.2222 TIM
12 Jan 04 05:43:34 udp sunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT
12 Jan 04 05:44:08 arp plunder.nnc who-has sirius.nnc INT
12 Jan 04 05:44:08 udp plunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT
12 Jan 04 05:44:15 udp print.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm INT
12 Jan 04 05:45:06 udp sunder.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm TIM
12 Jan 04 05:40:26 man pkts 734 bytes 75574 drops 0 CON
12 Jan 04 05:44:28 nvl 0:c0:2:57:98:79 -> Broadcast INT
12 Jan 04 05:44:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT
12 Jan 04 05:44:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT
12 Jan 04 05:44:28 llc 0:c0:2:57:98:79.null -> Broadcast.null INT
12 Jan 04 05:45:08 udp plunder.nnc.netbios-ns -> 192.168.0.255.netbios-ns INT
12 Jan 04 05:45:09 tcp kryten.nnc.54176 ?> colossus.nnc.ssh EST
12 Jan 04 05:45:15 udp print.nnc.netbios-dgm -> 192.168.0.255.netbios-dgm INT
This is just a few minutes of logs from one host, but it is stored in a very compact manner. In fact, during testing, a whole day’s worth of logs consumed only 1.4 MB!
The ra command can also take tcpdump-style filters so that you can query the logs for packets that match a specific host, protocol, port, or any number of other characteristics.
For instance, if you wanted to query the logs for all packets sent either to or from the host named kryten, you could used a command similar to this one:
$ ra -r /tmp/argus – “host kryten”
12 Jan 04 09:26:34 udp kryten.nnc.55689 -> 255.255.255.255.2222 TIM
12 Jan 04 09:26:36 tcp kryten.nnc.54176 ?> linux-vmm.nnc.ssh EST
12 Jan 04 09:27:37 tcp kryten.nnc.54176 ?> linux-vmm.nnc.ssh EST
12 Jan 04 09:28:34 udp kryten.nnc.55691 -> 255.255.255.255.2222 TIM
12 Jan 04 09:28:05 icmp kryten.nnc <-> linux-vmm.nnc ECO
12 Jan 04 09:28:06 icmp kryten.nnc <-> linux-vmm.nnc ECO
12 Jan 04 09:29:06 tcp kryten.nnc.54176 ?> linux-vmm.nnc.ssh EST
12 Jan 04 09:30:34 udp kryten.nnc.55692 -> 255.255.255.255.2222 TIM
12 Jan 04 09:32:34 udp kryten.nnc.55693 -> 255.255.255.255.2222 TIM
12 Jan 04 09:33:06 tcp kryten.nnc.54176 ?> linux-vmm.nnc.ssh EST
12 Jan 04 09:34:34 udp kryten.nnc.55694 -> 255.255.255.255.2222
12 Jan 04 09:53:44 tcp kryten.nnc.54176 ?> linux-vmm.nnc.ssh EST
You can also generate a new Argus log file containing only the results of your query by using the -w option to ra and specifying a file to write the results to.
To get XML output from Argus, you can use the raxml utility to make queries, much in the same way as you can with ra. For instance, here’s the first record returned by using the previous query for all packets that matched the hostname of kryten:
$ raxml -r /tmp/arguslog – “host kryten”
<ArgusFlowRecord ArgusSourceId = “192.168.0.41” SequenceNumber = “3”
Cause = “Status” StartDate = “2004-01-12” StartTime = “09:25:26”
StartTimeusecs = “319091” LastDate = “2004-01-12”
LastTime = “09:25:32” LastTimeusecs = “521982”
Duration = “6.202891” TransRefNum = “0”>
<MACAddrs SrcAddr = “0:a:95:c7:2b:10” DstAddr = “0:c:29:e2:2b:c1” />
<Flow> <IP SrcIPAddr = “192.168.0.60” DstIPAddr = “192.168.0.41”
Proto = “tcp” Sport = “56060” Dport = “22” IpId = “27b8” /> </Flow>
<FlowAttrs SrcTTL = “64” DstTTL = “64” SrcTOS = “10” DstTOS = “10” />
<ExtFlow> <TCPExtFlow TCPState = “EST” TCPOptions = “TIME”
SynAckuSecs = “0” AckDatauSecs = “0” >
<TCPExtMetrics SrcTCPSeqBase = “4204580547”
SrcTCPAckBytes = “527” SrcTCPBytes = “528”
SrcTCPRetrans = “0” SrcTCPWin = “65535” SrcTCPFlags = “PA”
DstTCPSeqBase = “3077608383” DstTCPAckBytes = “1135”
DstTCPBytes = “992” DstTCPRetrans = “0” DstTCPWin = “9792”
DstTCPFlags = “PA” />
</TCPExtFlow>
</ExtFlow>
<Metrics SrcCount = “24” DstCount = “17” SrcBytes = “2112”
DstBytes = “2258” SrcAppBytes = “528” DstAppBytes = “1136” />
</ArgusFlowRecord>
As you can see, Argus keeps track of much more information than it would seem if you were just going by the output generated by ra. This is where Argus really shines, because it can store such a large amount of information about your network traffic in a small amount of space. In addition, Argus makes it easy to convert this information into other formats, such as XML, which makes it easy to write applications that can understand the data.