1ARGUS.CONF(5)                 File Formats Manual                ARGUS.CONF(5)
2
3
4

NAME

6       argus.conf - argus resource file.
7

SYNOPSIS

9       argus.conf
10
12       Copyright (c) 2000-2015 QoSient, LLC   All rights reserved.
13

DESCRIPTION

15       This is the canonical argus configuration file.  All options that argus
16       supports can be turned on or modified using this configuration  format.
17       Argus  will  search  for a system /etc/argus.conf file and will open it
18       and use it to seed all configuration options.conf.   Previous  versions
19       of  Argus supported searching for argus.conf in $ARGUSPATH, $ARGUSHOME,
20       $ARGUSHOME/lib, $HOME, and $HOME/lib, but this support  is  deprecated.
21       All  values  in  this file can be overriden by command line options, or
22       other configuration files of this format when specified in using the -F
23       option.
24
25       Argus  will read any number of configuration files using the -F option,
26       and command-line order is very important.
27
28

Variable Syntax

30       Variable assignments must be of the form:
31         VARIABLE=
32       with no white space between the VARIABLE and the '=' sign.  Quotes  are
33       optional  for string arguments, but if you want to embed comments, then
34       quotes are required.
35
36

ARGUS_FLOW_TYPE / ARGUS_FLOW_KEY

38       The Argus can be configured to support a large number  of  flow  types.
39       The  Argus  can provide either type, i.e.  uni-directional or bi-direc‐
40       tional flow tracking and the flow can be further defined by  specifying
41       the  key.   The argus supports a set of well known key strategies, such
42       as 'CLASSIC_5_TUPLE', 'LAYER_3_MATRIX', 'LAYER_2_MATRIX', formulate key
43       strategies  from  a  list of the specific objects that the Argus under‐
44       stands.  See the man page for a complete description.
45
46       The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE.
47
48       There is no commandline equivalent.
49
50       ARGUS_FLOW_TYPE="Bidirectional"
51       ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
52
53
54

ARGUS_DAEMON

56       Argus is capable of running as a daemon, doing  all  the  right  things
57       that daemons do.  When this configuration is used for the system daemon
58       process, say for /etc/argus.conf, this variable should be set to "yes".
59
60       In the examples seen in the ./support/Startup/argus scripts, this value
61       is set to "yes", as the system startup strategy requires the program to
62       daemonize themselves,  returning  a  value  to  the  system,  hopefully
63       quickly.   Some  systems,  however,  want  to daemonize the tasks them‐
64       selves, and those cases, the value must be set to "no".
65
66       which requires that this variable be set to "yes".
67
68
69       The default value is to not run as a daemon.
70
71       Commandline equivalent  -d
72
73       ARGUS_DAEMON=no
74
75
76

ARGUS_MONITOR_ID

78       Argus Monitor Data is uniquely identifiable based on the source identi‐
79       fier  that  is included in each output record.  This is to allow you to
80       work with Argus Data from multiple monitors at the same time.   The  ID
81       is  32  bits  long, and argus suppors a number of formats as legitimate
82       values. Argus  support  unsigned  ints,  IPv4  addresses  and  4  bytes
83       strings, as values.
84
85       The formats are discerned from the values provided.  Double-quoted val‐
86       ues are treated as strings, and are truncated to  4  characters.   Non-
87       quoted  values  are  tested for whether they are hostnames, and if not,
88       then they are tested wheter they are numbers.
89
90       The configuration allows for you to use host names,  however,  do  have
91       some  understanding  how  `hostname` will be resolved by the nameserver
92       before commiting to this strategy completely.
93
94       For convenience, argus supports the notion of "`hostname`" for  assign‐
95       ing  the  probe's  id.   This is to support management of large deploy‐
96       ments, so you can have one argus.conf file that  works  for  a  lot  of
97       probes.
98
99       For  security, argus does not rely on system programs, like hostname.1.
100       It implements the logic of hostname itself, so don't try to  run  arbi‐
101       trary programs using this method, because it won't work.
102
103       Commandline equivalent   -e
104
105       ARGUS_MONITOR_ID=`hostname`    // IPv4 address returned
106       ARGUS_MONITOR_ID=10.2.45.3     // IPv4 address
107       ARGUS_MONITOR_ID=2435          // Number
108       ARGUS_MONITOR_ID="en0"         // String
109
110
111

ARGUS_ACCESS_PORT

113       Argus  monitors can provide a real-time remote access port for collect‐
114       ing Argus data.  This is a TCP based port service and the default  port
115       number is tcp/561, the "experimental monitor" service.  This feature is
116       disabled by default, and can be forced off by setting it to zero (0).
117
118       When you do want to enable this service, 561 is a good choice,  as  all
119       ra* clients are configured to try this port by default.
120
121       Commandline equivalent  -P
122
123       ARGUS_ACCESS_PORT=561
124
125
126

ARGUS_BIND_IP

128       When  remote  access is enabled (see above), you can specify that Argus
129       should bind only to a specific IP address. This is useful, for example,
130       in restricting access to the local host, or binding to a private inter‐
131       face while capturing from another.
132
133       You can provide multiple addresses, separated by commas, or on multiple
134       lines.
135
136       The default is to bind to any IP address.
137
138       Commandline equivalent  -B
139
140       ARGUS_BIND_IP="::1,127.0.0.1"
141       ARGUS_BIND_IP="127.0.0.1"
142       ARGUS_BIND_IP="192.168.0.68"
143
144
145

ARGUS_INTERFACE

147       By default, Argus will open the first appropriate interface on a system
148       that it encounters.  For systems that have only one network  interface,
149       this  is  a  reasonable thing to do.  But, when there are more than one
150       suitable interface, you should specify the  interface(s)  Argus  should
151       use either on the command line or in this file.
152
153       Argus  can track packets from any or all interfaces, concurrently.  The
154       interfaces can be tracked as:
155         1.  independant - this is where argus tracks flows from each
156                interface independant from the packets seen on any other
157                interface.  This is useful for hosts/routers that
158                have full-duplex interfaces, and you want to distinguish
159                flows based on their interface. There is an option to specify
160                a distinct srcid to each independant modeler.
161
162         2.  duplex - where argus tracks packets from 2 interfaces
163                as if they were two half duplex streams of the same link.
164                Because there is a single modeler tracking the 2
165                interfaces, there is a single srcid that can be passed as
166                an option.
167
168         3.  bonded - where argus tracks packets from multiple interfaces
169                as if they were from the same stream.  Because there is a
170                single modeler tracking the 2 interfaces, there is a single
171                srcid that can be passed as an option.
172
173        Interfaces can be specified as groups using '[',']' notation, to build
174        flexible definitions of packet sources.  However, each interface
175        should be referenced only once (this is due to performance and OS
176        limitations, so if your OS has no problem with this, go ahead).
177
178        The lo (loopback) interface will be included only if  it  is  specifi‐
179       cally
180        indicated in the option.
181
182        The  syntax  for specifying this either on the command line or in this
183       file:
184           -i ind:all
185           -i dup:en0,en1/srcid
186           -i bond:en0,en1/srcid
187           -i dup:[bond:en0,en1],en2/srcid
188           -i      en0/srcid      -i      en1/srcid       (equivalent      '-i
189       ind:en0/srcid,en1/srcid')
190           -i en0 en1     (equivalent '-i bond:en0,en1')
191
192        In all cases, if there is a "-e srcid" provided, this is used as the
193        default.  If a srcid is specified using this option, it overrides
194        the default.
195
196        Srcid's  are  specified using the notion used for ARGUS_MONITOR_ID, as
197       above.
198
199       Commandline equivalent   -i
200
201       ARGUS_INTERFACE=any
202       ARGUS_INTERFACE=ind:all
203       ARGUS_INTERFACE=ind:en0/192.168.0.68,en2/192.168.2.1
204       ARGUS_INTERFACE=ind:en0/"en0",en2/19234
205       ARGUS_INTERFACE=en0
206
207
208

ARGUS_GO_PROMISCUOUS

210       By default, Argus will put its interface in promiscuous mode  in  order
211       to monitor all the traffic that can be collected.  This can put an undo
212       load on systems.
213
214       If the intent is to monitor only the network activity of  the  specific
215       system,  say  to measure the performance of an HTTP service or DNS ser‐
216       vice, you'll want to turn promiscuous mode off.
217
218       The default value goes into prmiscuous mode.
219
220       Commandline equivalent  -p
221
222       ARGUS_GO_PROMISCUOUS=yes
223
224
225

ARGUS_CHROOT_DIR

227       Argus supports chroot(2) in order to control the file system that argus
228       exists  in  and  can access.  Generally used when argus is running with
229       privileges, this limits the negative impacts that argus  could  inflict
230       on its host machine.
231
232       This  option  will  cause  the output file names to be relative to this
233       directory, and so consider this when trying to find your output files.
234
235       Commandline equivalent   -c dir
236
237       ARGUS_CHROOT_DIR=/chroot_dir
238
239
240

ARGUS_SETUSER_ID

242       Argus can be directed to change its user id using the  setuid()  system
243       call.   This  is  can  used  when argus is started as root, in order to
244       access privileged resources, but then after the resources  are  opened,
245       this  directive  will  cause  argus  to  change  its user id value to a
246       'lesser' capable account.  Recommended when argus is running as daemon.
247
248       Commandline equivalent   -u user
249
250       ARGUS_SETUSER_ID=user
251
252
253

ARGUS_SETGROUP_ID

255       Argus can be directed to change its group id using the setgid()  system
256       call.   This  is  can  used  when argus is started as root, in order to
257       access privileged resources, but then after the resources  are  opened,
258       this  directive  can  be  used  to  change  argu's  group id value to a
259       'lesser' capable account.  Recommended when argus is running as daemon.
260
261       Commandline equivalent   -g group
262
263       ARGUS_SETGROUP_ID=group
264
265
266

ARGUS_OUTPUT_FILE

268       Argus can write its output to one or a number of files,  default  limit
269       is 5 concurrent files, each with their own independant filters.
270
271       The format is:
272            ARGUS_OUTPUT_FILE=/full/path/file/name
273            ARGUS_OUTPUT_FILE=/full/path/file/name "filter"
274
275       Most  sites will have argus write to a file, for reliablity and perfor‐
276       mance.  The example file name is used here as supporting programs, such
277       as ./support/Archive/argusarchive are configured to use this file.
278
279       Commandline equivalent  -w
280
281       ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
282
283
284

ARGUS_OUTPUT_STREAM

286       Argus  can  write  its  output to one or a number of remote hosts.  The
287       default limit is 5 concurrent output streams, each with their own inde‐
288       pendant filters.
289
290       The format is:
291            ARGUS_OUTPUT_STREAM="URI [filter]"
292            ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'"
293
294       Most  sites  will have argus listen() for remote sites to request argus
295       data, but for some sites and applications sending records without  reg‐
296       istration is desired.  This option will cause argus to transmit records
297       that match the optional filter, to the configured targets using UDP  as
298       the transport mechanism.
299
300       Commandline equivalent   -w argus-udp://host:port
301
302       ARGUS_OUTPUT_STREAM=argus-udp://224.0.20.21:561
303
304
305

ARGUS_SET_PID

307       When  Argus is configured to run as a daemon, with the -d option, Argus
308       can store its pid in a file, to aid in  managing  the  running  daemon.
309       However, creating a system pid file requires privileges that may not be
310       appropriate for all cases.
311
312       When configured to generate a pid file, if Argus cannot create the  pid
313       file, it will fail to run.  This variable, and the directory the pid is
314       written to, is available to override the default, in case this gets  in
315       your way.
316
317       The  default  value is to generate a pid.  The default path for the pid
318       file, is '/var/run'.
319
320       No Commandline equivalent
321
322       ARGUS_SET_PID=yes
323       ARGUS_PID_PATH=/var/run
324
325
326

ARGUS_FLOW_STATUS_INTERVAL

328       Argus  will  periodically   report   on   a   flow's   activity   every
329       ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is new activity on
330       the flow.  This is so that you can get a view into the activity of very
331       long  lived  flows.   The default is 60 seconds, but this number may be
332       too low or too high depending on your uses.
333
334       The default value is 60 seconds, but argus does support a minimum value
335       of  1.   This  is  very  useful  for doing measurements in a controlled
336       experimental environment where the number of flows is < 1000.
337
338       Commandline equivalent  -S
339
340       ARGUS_FLOW_STATUS_INTERVAL=60
341
342
343

ARGUS_MAR_STATUS_INTERVAL

345       Argus will periodically report on a its own health, providing interface
346       status, total packet and bytes counts, packet drop rates, and flow ori‐
347       ented statistics.
348
349       These records can be used as "keep alives" for periods when there is no
350       network traffic to be monitored.
351
352       The  default  value  is  300 seconds, but a value of 60 seconds is very
353       common.
354
355       Commandline equivalent  -M
356
357
358       ARGUS_MAR_STATUS_INTERVAL=300
359
360
361

ARGUS_DEBUG_LEVEL

363       If compiled to support this option, Argus is capable  of  generating  a
364       lot of debug information.
365
366       The default value is zero (0).
367
368       Commandline equivalent  -D
369
370       ARGUS_DEBUG_LEVEL=0
371
372
373
374

ARGUS_GENERATE_PACKET_SIZE

376       Argus  can  be  configured to generate packet size information on a per
377       flow basis, which provides the max and min  packet  size  seen  .   The
378       default value is to not generate this data.
379
380       Commandline equivalent   -Z
381
382       ARGUS_GENERATE_PACKET_SIZE=yes
383
384
385

ARGUS_GENERATE_JITTER_DATA

387       Argus  can be configured to generate packet jitter information on a per
388       flow basis.  The default value is to not generate this data.
389
390       Commandline equivalent  -J
391
392
393       ARGUS_GENERATE_JITTER_DATA=no
394
395
396

ARGUS_GENERATE_MAC_DATA

398       Argus can be configured to not provide MAC addresses in it audit  data.
399       This  is  available if MAC address tracking and audit is not a require‐
400       ment.
401
402       The default value is to not generate this data.
403
404       Commandline equivalent  -m
405
406       ARGUS_GENERATE_MAC_DATA=no
407
408
409

ARGUS_GENERATE_APPBYTE_METRIC

411       Argus can be configured to generate metrics that include  the  applica‐
412       tion byte counts as well as the packet count and byte counters.
413
414       Commandline equivalent  -A
415
416       ARGUS_GENERATE_APPBYTE_METRIC=no
417
418
419

ARGUS_GENERATE_TCP_PERF_METRIC

421       Argus  by  default, generates extended metrics for TCP that include the
422       connection  setup  time,  window  sizes,  base  sequence  numbers,  and
423       retransmission  counters.   You  can suppress this detailed information
424       using this variable.
425
426       No commandline equivalent
427
428       ARGUS_GENERATE_TCP_PERF_METRIC=yes
429
430

ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS

432       Argus by default, generates a single pair of timestamps, for the  first
433       and  last  packet  seen  on a given flow, during the obseration period.
434       For bi-directional flows, this results in loss of some information.  By
435       setting this variable to 'yes', argus will store start and ending time‐
436       stamps for both directions of the flow.
437
438       No commandline equivalent
439
440       ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=no
441
442

ARGUS_CAPTURE_DATA_LEN

444       Argus can be configured to capture a number of user data bytes from the
445       packet stream.
446
447       The default value is to not generate this data.
448
449       Commandline equivalent  -U
450
451
452       ARGUS_CAPTURE_DATA_LEN=0
453
454
455

ARGUS_FILTER_OPTIMIZER

457       Argus  uses  the  packet filter capabilities of libpcap.  If there is a
458       need to not use the libpcap filter optimizer, you can turn it off here.
459       The default is to leave it on.
460
461       Commandline equivalent  -O
462
463
464       ARGUS_FILTER_OPTIMIZER=yes
465
466
467

ARGUS_FILTER

469       You  can  provide  a filter expression here, if you like.  It should be
470       limited to 2K in length.  The default is to not filter.
471
472       No Commandline equivalent
473
474
475       ARGUS_FILTER=""
476
477
478

ARGUS_PACKET_CAPTURE_FILE

480       Argus allows you to capture packets in tcpdump() format if  the  source
481       of the packets is a tcpdump() formatted file or live packet source.
482
483       Specify the path to the packet capture file here.
484
485       ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out"
486
487
488

ARGUS_SSF

490       Argus  supports  the  use  of SASL to provide strong authentication and
491       confidentiality protection.
492
493       The policy that argus uses is controlled through the use of  a  minimum
494       and  maximum  allowable protection strength, which is standard for SASL
495       based appliations.  Set these variable to  control  this  policy.   The
496       default is no security policy.
497
498       ARGUS_MIN_SSF=0
499       ARGUS_MAX_SSF=0
500
501
502

ARGUS_PCAP_BUF_SIZE

504       Argus supports setting the pcap buffer size.  You can use the abbrevia‐
505       tions K, M, G to specify thousands, millions or billions of bytes.
506
507       ARGUS_PCAP_BUF_SIZE=1G
508
509
510

ARGUS_ENV

512       Argus  supports  setting  environment  variables  to  enable  functions
513       required  by  the kernel or shared libraries.  This feature is intended
514       to support libraries such as the net pf_ring  support  for  libpcap  as
515       supported by code at http://public.lanl.gov/cpw/
516
517       Setting  environment  variables  in  this  way does not affect internal
518       argus variable in any way. As a result, you can't set ARGUS_PATH  using
519       this feature.
520
521       Care  should  must be taken to assure that the value given the variable
522       conform's to your systems putenv.3 system call.  You can have  as  many
523       of these directives as you like.
524
525       The  example  below  is intended to set a libpcap ring buffer length to
526       300MB, if your system supports this feature.
527
528       ARGUS_ENV="PCAP_MEMORY=300000"
529
530
531

ARGUS_TUNNEL_DISCOVERY

533       Argus can be configured to discover tunneling protocols above  the  UDP
534       transport  header,  specifically Teredo (IPv6 over UDP).  The algorithm
535       is simple and so, having this on by default may generate  false  tunnel
536       matching.
537
538       The default is to not turn this feature on.
539
540
541       ARGUS_TUNNEL_DISCOVERY=no
542
543
544

ARGUS_EVENT_DATA

546       Argus  supports  the  generation of host originated processes to gather
547       additional data and statistics.  These include  periodic  processes  to
548       poll  for  SNMP  data,  as  an  example,  or to collect host statistics
549       through reading procfs().  Or single run programs that run at a  speci‐
550       fied time.
551
552       These   argus   events,   are  generated  from  the  complete  list  of
553       ARGUS_EVENT_DATA directives that are specified here.
554
555       The syntax is:
556            Syntax is: "method:path|prog:interval[:postproc]"
557                Where:  method = [ "file" | "prog" ]
558                      pathname | program = "%s"
559                      interval = %d[smhd] [ zero means run once ]
560                      postproc = [ "compress" | "compress2" ]
561
562
563       ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress"
564       ARGUS_EVENT_DATA="prog:/usr/local/bin/ralsof:30s:compress"
565
566
567

ARGUS_KEYSTROKE

569       This version of Argus supports keystroke detection and counting for TCP
570       connections, with specific algorithmic support for SSH connections.
571
572       The  ARGUS_KEYSTROKE  variable  turns  the  feature on. Values for this
573       variable are:
574             ARGUS_KEYSTROKE="yes" - turn on TCP flow tracking
575             ARGUS_KEYSTROKE="tcp" - turn on TCP flow tracking
576             ARGUS_KEYSTROKE="ssh" - turn on SSH specific flow tracking
577             ARGUS_KEYSTROKE="no"    [default]
578
579       The algorithm uses a number of variables, all of which can  be  modifed
580       using  the  ARGUS_KEYSTROKE_CONF descriptor, which is a semicolon (';')
581       separated set of variable assignments.  Here is the list  of  supported
582       variables:
583         DC_MIN  -   (int) Minimum client datagram payload size in bytes
584         DC_MAX  -   (int) Maximum client datagram payload size in bytes
585         GS_MAX  -   (int) Maximum server packet gap
586         DS_MIN  -   (int) Minimum server datagram payload size in bytes
587         DS_MAX  -   (int) Maximum server datagram payload size in bytes
588         IC_MIN  -   (int) Minimum client interpacket arrival time (microseconds)
589         LCS_MAX -   (int) Maximum something - Not sure what this is
590         GPC_MAX -   (int) Maximum client packet gap
591         ICR_MIN - (float) Minimum client/server interpacket arrival ratio
592         ICR_MAX - (float) Maximum client/server interpacket arrival ratio
593
594       All  variables  have  default values, this variable is used to override
595       those values.  The syntax for the variable is:
596            ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20"
597
598       ARGUS_KEYSTROKE="no"
599       ARGUS_KEYSTROKE_CONF=""
600
601

SEE ALSO

603       argus(8)
604
605
606
607
608argus.conf 3.0.8               07 November 2000                  ARGUS.CONF(5)
Impressum