1ARGUS(8) System Manager's Manual ARGUS(8)
2
3
4
6 argus - audit record generation and utilization system
7
9 argus [ options ] [ filter expression ]
10
12 Copyright (c) 2000-2015 QoSient, LLC All rights reserved.
13
15 Argus is a data network transaction auditing tool that categorizes and
16 tracks network packets that match the libpcap filter expression into a
17 protocol-specific network flow transaction model. Argus reports on the
18 transactions that it discovers, as periodic network flow data, that is
19 suitable for historical and near real-time processing for forensics,
20 trending and alarm/alerting.
21
22 Designed to run as a daemon, argus reads packets directly from a net‐
23 work interface, classifies the packets into network transacations and
24 appends the resulting network flow data to a log file or open socket
25 connected to an argus client (such as ra(1)). Argus can also read
26 packet information from tcpdump(1) , snoop(1) , NLANR's Moat Time
27 Sequence Header or Endaces ERF raw packet files. Argus can also be
28 configured to append its transaction logs to stdout.
29
30 Argus can provide address based access control for its socket connec‐
31 tion facility using tcp_wrappers , and it can provide strong authenti‐
32 cation and confidentiality protection using SASL2 technology. Refer to
33 package documentation to enable each of these services.
34
35
37 -A Generate application byte metrics in each audit record.
38
39 -b Dump the compiled packet-matching code to stdout and stop. This
40 is used to debug filter expressions.
41
42 -B <addr> Specify the bind interface address for remote access.
43 Acceptable values are IP version 4 addresses. The default is to
44 bind to INADDR_ANY address.
45
46 -c <dir> Specify a chroot directory to use after privilege access is
47 complete. Must be super user to use this option.
48
49 -C Run argus in control plane capture mode. This sets the interface
50 packet snap length to capture full packets, and to enable detailed
51 flow tracking for supported control plane protocols.
52
53 -d Run argus as a daemon. This will cause argus to do the things
54 that Unix daemons do and return, if there were no errors, with
55 argus running as a detached process.
56
57 -D <level> Print debug messages to stderr. The higher the <level>
58 the more information printed. Acceptable levels are 1-8.
59
60 -e <value> Specify the source identifier for this argus. Acceptable
61 values are numbers, strings, hostnames or ip address. Double
62 quotes around the parameter are used to designate the string for‐
63 mat. The longest supported string is 4 characeters long. Be sure
64 and single quote or 'escape' the double quotes so that the shell
65 doesn't gooble up the delimiters.
66
67 This option sets a global Source identifier that can be overriden
68 by specific -i options.
69
70 argus -e '"arg1"'
71 argus -e \"arg2\"
72
73
74 -f When reading packets from a packet capture file, the -f option
75 causes argus to not stop when end of file is reached, but rather
76 to wait for additional packets to be appended to the input. The -f
77 option is ignored if the standard input is a pipe, but not if it
78 is a FIFO.
79
80
81 -F Use conffile as a source of configuration information. Options
82 set in this file override any other specification, and so this is
83 the last word on option values.
84
85 -g <group> Specify a group name to change to after privilege access
86 is complete.
87
88 -h Print an explanation of all the arguments.
89
90 -i <interface> Specify the physical network <interface> to be
91 audited. The default is the first network interface that is up
92 and running.
93
94 The syntax for specifying the interface is the same format used in
95 the argus.conf.5 file. The optional source id specification can be
96 an IPv4 address, an integer, or a string denoted using double
97 quotes.
98
99 -i interface[/srcid]
100 -i all[/srcid]
101 -i dup:en0,en1/"ap01" ( en0 and en1 are in ingress and egress interfaces )
102 -i bond:en0,en1/2.3.4.5 ( en0 and en1 are bonded interfaces )
103 -i en0 en1 ( equivalent '-i bond:en0,en1' )
104 -i dup:[bond:en0,en1],en2/3 ( in this case 3 is the srcid )
105 -i en0/"en0" -i en1/"en1" ( equivalent '-i ind:en0/srcid,en1/srcid' )
106
107 -J Generate packet peformance data in each audit record.
108
109 -M <secs> Specify the interval in <secs> of argus status records.
110 These records are used to report the internal status of argus
111 itself. The default is 300 seconds.
112
113 -m Provide MAC addresses information in argus records.
114
115 -N <packet count>|<packet range>
116 Specify the number of packets to process. You can give an abso‐
117 lute number, or a range with the syntax "start-stop". Examples
118 are:
119 -N 27 - read the first 27 packets.
120 -N 1034-1434 - read 100 packets starting with 1034.
121
122 -O Turn off Berkeley Packet Filter optimizer. No reason to do this
123 unless you think the optimizer generates bad code.
124
125 -p Do not set the physical network interface in promiscuous mode. If
126 the interface is already in promiscuous mode, this option may have
127 no effect. Do this to audit only the traffic coming to and from
128 the system argus is running on.
129
130 -P <portnum> Specifies the <portnum> for remote client connection.
131 The default is to not support remote access. Setting the value to
132 zero (0) will forceably turn off the facility.
133
134 -r <[type:]file [type:]file ... >
135 Read from tcpdump(1) , snoop(1) or NLANR's Moat Time Sequence
136 Header (tsh) packet capture files. If the packet capture file is
137 a tsh format file, then the -t option must also be used. The file
138 "-" specifies stdin as the source of packets.
139
140 The type provides the opportunity to specify what type of packet
141 source to expect and process. Supported types are '' (default)
142 and 'cisco', where argus will process the payload of packets as
143 netflow records, when found.
144
145 Argus will read from only one input packet file at a time, and
146 will open the files in lexigraphic order. Care should be taken to
147 ensure that the timestamps in the packets are ordered, or unex‐
148 pected behavior may result. If the -r option is specified, argus
149 will not put down a listen(2) to support remote access.
150
151 -R Generate argus records such that response times can be derived
152 from transaction data.
153
154 -s <bytes> Specify the packet snaplen.
155
156 -S <secs> Specify the status reporting interval in <secs> for all
157 traffic flows.
158
159 -t Indicate that the expected packet capture input file is a NLANR's
160 Moat Time Sequence Header (tsh) packet capture file.
161
162 -T timescale
163 Specify a playback timescale for realtime processing of input
164 packets.
165
166 -u <user> Specify an account name to change to after privilege access
167 is complete.
168
169 -U Specify the number of user bytes to capture.
170
171 -w <file | stream ["filter"]> Append transaction status records to
172 output-file or write records to the URL based stream. Supported
173 stream URLs are 'argus-udp://host[:port]', where the default port
174 is 561. An output-file of '-' directs argus to write the resulting
175 argus-file output to stdout.
176
177 -X Clear existing argus configuration. This removes any initializa‐
178 tion done prior to encountering this flag. Allows you to elimi‐
179 nate the effects of the /etc/argus.conf file, or any argus.conf
180 files that may have been loaded.
181
182 -Z Collect packet size information. This options turns on packet
183 size reporting for all flows. Argus will provide the mean, max,
184 min and standard deviation of the packet sizes seen during the
185 flow status interval.
186
187 expression
188 This tcpdump(1) expression specifies which transactions will be
189 selected. If no expression is given, all transactions are
190 selected. Otherwise, only transactions for which expression is
191 `true' will be dumped. For a complete expression format descrip‐
192 tion, please refer to the tcpdump(1) man page.
193
194
196 Argus catches a number of signal(3) events. The three signals SIGHUP,
197 SIGINT, and SIGTERM cause argus to exit, writing TIMEDOUT status
198 records for all currently active transactions. The signal SIGUSR1 will
199 turn on debug reporting, and subsequent SIGUSR1 signals, will increment
200 the debug-level. The signal SIGUSR2 will cause argus to turn off all
201 debug reporting.
202
203
205 /etc/argus.conf - argus daemon configuration file
206 /var/run/argus.#.#.pid - PID file
207
208
210 Run argus as a daemon, writing all its transaction status reports to
211 output-file. This is the typical mode.
212 argus -d -e `hostname` -w output-file
213
214 If ICMP traffic is not of interest to you, you can filter out ICMP
215 packets on input.
216 argus -w output-file - ip and not icmp
217
218 Argus supports both input filtering and output filtering, and argus
219 supports multiple output streams, each with their own independant fil‐
220 ters. Output streams can be written to udp based sockets, to unicast
221 or multicast addresses.
222
223 If you are interested in tracking IP traffic only (input filter) and
224 want to report ICMP traffic to one output stream, and all other IP
225 traffic in another output stream.
226 argus -w argus-udp://224.0.20.21:561 "icmp" \
227 -w argus-udp://224.0.20.21:562 "not icmp" - ip
228
229 Audit the network activity that is flowing between the two gateway
230 routers, whose ethernet addresses are 00:08:03:2D:42:01 and
231 00:00:0C:18:29:F1. Without specifying an output-file, it is assumed
232 that the transaction status reports will be written to a remote client.
233 In this case we have changed the port that the remote client will use
234 to port 430/tcp.
235 argus -P 430 ether host (0:8:3:2d:42:1 and 0:0:c:18:29:f1) &
236
237 Audit each individual ICMP ECHO transaction from data in <dir>. You
238 would do this to gather Round Trip Time (RTT) data within your network.
239 Append the output to output-file.
240 argus -R dir -w output-file "echo" - icmp
241
242 Audit all NFS transactions involving the server fileserver and increase
243 the reporting interval to 3600 seconds (to provide high data reduc‐
244 tion). Append the output to output-file.
245 argus -S 3600 -w output-file - host fileserver and udp and port 2049 &
246
247 Import flow data from pcap file containing Cisco flow data packets.
248 Write output to stdout, to a ra.1 instance.
249 argus -r cisco:pcap-file -w - | ra
250
252 Carter Bullard (carter@qosient.com)
253
255 hosts_access(5), hosts_options(5), tcpd(8), tcpdump(1)
256
257
258
259argus 3.0.8 10 November 2000 ARGUS(8)