1ARGUS.CONF(5) File Formats Manual ARGUS.CONF(5)
2
6 argus.conf - argus resource file.
7
9 argus.conf
10
12 Copyright (c) 2000-2015 QoSient, LLC All rights reserved.
13
15 This is the canonical argus configuration file. All options that argus
16 supports can be turned on or modified using this configuration format.
17 Argus will search for a system /etc/argus.conf file and will open it
18 and use it to seed all configuration options.conf. Previous versions
19 of Argus supported searching for argus.conf in $ARGUSPATH, $ARGUSHOME,
20 $ARGUSHOME/lib, $HOME, and $HOME/lib, but this support is deprecated.
21 All values in this file can be overriden by command line options, or
22 other configuration files of this format when specified in using the -F
23 option.
24 Argus will read any number of configuration files using the -F option,
26 and command-line order is very important.
27
30 Variable assignments must be of the form:
31 VARIABLE=
32 with no white space between the VARIABLE and the '=' sign. Quotes are
33 optional for string arguments, but if you want to embed comments, then
34 quotes are required.
35
38 The Argus can be configured to support a large number of flow types.
39 The Argus can provide either type, i.e. uni-directional or bi-direc‐
40 tional flow tracking and the flow can be further defined by specifying
41 the key. The argus supports a set of well known key strategies, such
42 as 'CLASSIC_5_TUPLE', 'LAYER_3_MATRIX', 'LAYER_2_MATRIX', formulate key
43 strategies from a list of the specific objects that the Argus under‐
44 stands. See the man page for a complete description.
45 The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE.
47 There is no commandline equivalent.
49 ARGUS_FLOW_TYPE="Bidirectional"
51 ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
52
56 Argus is capable of running as a daemon, doing all the right things
57 that daemons do. When this configuration is used for the system daemon
58 process, say for /etc/argus.conf, this variable should be set to "yes".
59 In the examples seen in the ./support/Startup/argus scripts, this value
61 is set to "yes", as the system startup strategy requires the program to
62 daemonize themselves, returning a value to the system, hopefully
63 quickly. Some systems, however, want to daemonize the tasks them‐
64 selves, and those cases, the value must be set to "no".
65 which requires that this variable be set to "yes".
67 The default value is to not run as a daemon.
70 Commandline equivalent -d
72 ARGUS_DAEMON=no
74
78 Argus Monitor Data is uniquely identifiable based on the source identi‐
79 fier that is included in each output record. This is to allow you to
80 work with Argus Data from multiple monitors at the same time. The ID
81 is 32 bits long, and argus suppors a number of formats as legitimate
82 values. Argus support unsigned ints, IPv4 addresses and 4 bytes
83 strings, as values.
84 The formats are discerned from the values provided. Double-quoted val‐
86 ues are treated as strings, and are truncated to 4 characters. Non-
87 quoted values are tested for whether they are hostnames, and if not,
88 then they are tested wheter they are numbers.
89 The configuration allows for you to use host names, however, do have
91 some understanding how `hostname` will be resolved by the nameserver
92 before commiting to this strategy completely.
93 For convenience, argus supports the notion of "`hostname`" for assign‐
95 ing the probe's id. This is to support management of large deploy‐
96 ments, so you can have one argus.conf file that works for a lot of
97 probes.
98 For security, argus does not rely on system programs, like hostname.1.
100 It implements the logic of hostname itself, so don't try to run arbi‐
101 trary programs using this method, because it won't work.
102 Commandline equivalent -e
104 ARGUS_MONITOR_ID=`hostname` // IPv4 address returned
106 ARGUS_MONITOR_ID=10.2.45.3 // IPv4 address
107 ARGUS_MONITOR_ID=2435 // Number
108 ARGUS_MONITOR_ID="en0" // String
109
113 Argus monitors can provide a real-time remote access port for collect‐
114 ing Argus data. This is a TCP based port service and the default port
115 number is tcp/561, the "experimental monitor" service. This feature is
116 disabled by default, and can be forced off by setting it to zero (0).
117 When you do want to enable this service, 561 is a good choice, as all
119 ra* clients are configured to try this port by default.
120 Commandline equivalent -P
122 ARGUS_ACCESS_PORT=561
124
128 When remote access is enabled (see above), you can specify that Argus
129 should bind only to a specific IP address. This is useful, for example,
130 in restricting access to the local host, or binding to a private inter‐
131 face while capturing from another.
132 You can provide multiple addresses, separated by commas, or on multiple
134 lines.
135 The default is to bind to any IP address.
137 Commandline equivalent -B
139 ARGUS_BIND_IP="::1,127.0.0.1"
141 ARGUS_BIND_IP="127.0.0.1"
142 ARGUS_BIND_IP="192.168.0.68"
143
147 By default, Argus will open the first appropriate interface on a system
148 that it encounters. For systems that have only one network interface,
149 this is a reasonable thing to do. But, when there are more than one
150 suitable interface, you should specify the interface(s) Argus should
151 use either on the command line or in this file.
152 Argus can track packets from any or all interfaces, concurrently. The
154 interfaces can be tracked as:
155 1. independant - this is where argus tracks flows from each
156 interface independant from the packets seen on any other
157 interface. This is useful for hosts/routers that
158 have full-duplex interfaces, and you want to distinguish
159 flows based on their interface. There is an option to specify
160 a distinct srcid to each independant modeler.
161 2. duplex - where argus tracks packets from 2 interfaces
163 as if they were two half duplex streams of the same link.
164 Because there is a single modeler tracking the 2
165 interfaces, there is a single srcid that can be passed as
166 an option.
167 3. bonded - where argus tracks packets from multiple interfaces
169 as if they were from the same stream. Because there is a
170 single modeler tracking the 2 interfaces, there is a single
171 srcid that can be passed as an option.
172 Interfaces can be specified as groups using '[',']' notation, to build
174 flexible definitions of packet sources. However, each interface
175 should be referenced only once (this is due to performance and OS
176 limitations, so if your OS has no problem with this, go ahead).
177 The lo (loopback) interface will be included only if it is specifi‐
179 cally
180 indicated in the option.
181 The syntax for specifying this either on the command line or in this
183 file:
184 -i ind:all
185 -i dup:en0,en1/srcid
186 -i bond:en0,en1/srcid
187 -i dup:[bond:en0,en1],en2/srcid
188 -i en0/srcid -i en1/srcid (equivalent '-i
189 ind:en0/srcid,en1/srcid')
190 -i en0 en1 (equivalent '-i bond:en0,en1')
191 In all cases, if there is a "-e srcid" provided, this is used as the
193 default. If a srcid is specified using this option, it overrides
194 the default.
195 Srcid's are specified using the notion used for ARGUS_MONITOR_ID, as
197 above.
198 Commandline equivalent -i
200 ARGUS_INTERFACE=any
202 ARGUS_INTERFACE=ind:all
203 ARGUS_INTERFACE=ind:en0/192.168.0.68,en2/192.168.2.1
204 ARGUS_INTERFACE=ind:en0/"en0",en2/19234
205 ARGUS_INTERFACE=en0
206
210 By default, Argus will put its interface in promiscuous mode in order
211 to monitor all the traffic that can be collected. This can put an undo
212 load on systems.
213 If the intent is to monitor only the network activity of the specific
215 system, say to measure the performance of an HTTP service or DNS ser‐
216 vice, you'll want to turn promiscuous mode off.
217 The default value goes into prmiscuous mode.
219 Commandline equivalent -p
221 ARGUS_GO_PROMISCUOUS=yes
223
227 Argus supports chroot(2) in order to control the file system that argus
228 exists in and can access. Generally used when argus is running with
229 privileges, this limits the negative impacts that argus could inflict
230 on its host machine.
231 This option will cause the output file names to be relative to this
233 directory, and so consider this when trying to find your output files.
234 Commandline equivalent -c dir
236 ARGUS_CHROOT_DIR=/chroot_dir
238
242 Argus can be directed to change its user id using the setuid() system
243 call. This is can used when argus is started as root, in order to
244 access privileged resources, but then after the resources are opened,
245 this directive will cause argus to change its user id value to a
246 'lesser' capable account. Recommended when argus is running as daemon.
247 Commandline equivalent -u user
249 ARGUS_SETUSER_ID=user
251
255 Argus can be directed to change its group id using the setgid() system
256 call. This is can used when argus is started as root, in order to
257 access privileged resources, but then after the resources are opened,
258 this directive can be used to change argu's group id value to a
259 'lesser' capable account. Recommended when argus is running as daemon.
260 Commandline equivalent -g group
262 ARGUS_SETGROUP_ID=group
264
268 Argus can write its output to one or a number of files, default limit
269 is 5 concurrent files, each with their own independant filters.
270 The format is:
272 ARGUS_OUTPUT_FILE=/full/path/file/name
273 ARGUS_OUTPUT_FILE=/full/path/file/name "filter"
274 Most sites will have argus write to a file, for reliablity and perfor‐
276 mance. The example file name is used here as supporting programs, such
277 as ./support/Archive/argusarchive are configured to use this file.
278 Commandline equivalent -w
280 ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
282
286 Argus can write its output to one or a number of remote hosts. The
287 default limit is 5 concurrent output streams, each with their own inde‐
288 pendant filters.
289 The format is:
291 ARGUS_OUTPUT_STREAM="URI [filter]"
292 ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'"
293 Most sites will have argus listen() for remote sites to request argus
295 data, but for some sites and applications sending records without reg‐
296 istration is desired. This option will cause argus to transmit records
297 that match the optional filter, to the configured targets using UDP as
298 the transport mechanism.
299 Commandline equivalent -w argus-udp://host:port
301 ARGUS_OUTPUT_STREAM=argus-udp://224.0.20.21:561
303
307 When Argus is configured to run as a daemon, with the -d option, Argus
308 can store its pid in a file, to aid in managing the running daemon.
309 However, creating a system pid file requires privileges that may not be
310 appropriate for all cases.
311 When configured to generate a pid file, if Argus cannot create the pid
313 file, it will fail to run. This variable, and the directory the pid is
314 written to, is available to override the default, in case this gets in
315 your way.
316 The default value is to generate a pid. The default path for the pid
318 file, is '/var/run'.
319 No Commandline equivalent
321 ARGUS_SET_PID=yes
323 ARGUS_PID_PATH=/var/run
324
328 Argus will periodically report on a flow's activity every
329 ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is new activity on
330 the flow. This is so that you can get a view into the activity of very
331 long lived flows. The default is 60 seconds, but this number may be
332 too low or too high depending on your uses.
333 The default value is 60 seconds, but argus does support a minimum value
335 of 1. This is very useful for doing measurements in a controlled
336 experimental environment where the number of flows is < 1000.
337 Commandline equivalent -S
339 ARGUS_FLOW_STATUS_INTERVAL=60
341
345 Argus will periodically report on a its own health, providing interface
346 status, total packet and bytes counts, packet drop rates, and flow ori‐
347 ented statistics.
348 These records can be used as "keep alives" for periods when there is no
350 network traffic to be monitored.
351 The default value is 300 seconds, but a value of 60 seconds is very
353 common.
354 Commandline equivalent -M
356 ARGUS_MAR_STATUS_INTERVAL=300
359
363 If compiled to support this option, Argus is capable of generating a
364 lot of debug information.
365 The default value is zero (0).
367 Commandline equivalent -D
369 ARGUS_DEBUG_LEVEL=0
371
376 Argus can be configured to generate packet size information on a per
377 flow basis, which provides the max and min packet size seen . The
378 default value is to not generate this data.
379 Commandline equivalent -Z
381 ARGUS_GENERATE_PACKET_SIZE=yes
383
387 Argus can be configured to generate packet jitter information on a per
388 flow basis. The default value is to not generate this data.
389 Commandline equivalent -J
391 ARGUS_GENERATE_JITTER_DATA=no
394
398 Argus can be configured to not provide MAC addresses in it audit data.
399 This is available if MAC address tracking and audit is not a require‐
400 ment.
401 The default value is to not generate this data.
403 Commandline equivalent -m
405 ARGUS_GENERATE_MAC_DATA=no
407
411 Argus can be configured to generate metrics that include the applica‐
412 tion byte counts as well as the packet count and byte counters.
413 Commandline equivalent -A
415 ARGUS_GENERATE_APPBYTE_METRIC=no
417
421 Argus by default, generates extended metrics for TCP that include the
422 connection setup time, window sizes, base sequence numbers, and
423 retransmission counters. You can suppress this detailed information
424 using this variable.
425 No commandline equivalent
427 ARGUS_GENERATE_TCP_PERF_METRIC=yes
429
432 Argus by default, generates a single pair of timestamps, for the first
433 and last packet seen on a given flow, during the obseration period.
434 For bi-directional flows, this results in loss of some information. By
435 setting this variable to 'yes', argus will store start and ending time‐
436 stamps for both directions of the flow.
437 No commandline equivalent
439 ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=no
441
444 Argus can be configured to capture a number of user data bytes from the
445 packet stream.
446 The default value is to not generate this data.
448 Commandline equivalent -U
450 ARGUS_CAPTURE_DATA_LEN=0
453
457 Argus uses the packet filter capabilities of libpcap. If there is a
458 need to not use the libpcap filter optimizer, you can turn it off here.
459 The default is to leave it on.
460 Commandline equivalent -O
462 ARGUS_FILTER_OPTIMIZER=yes
465
469 You can provide a filter expression here, if you like. It should be
470 limited to 2K in length. The default is to not filter.
471 No Commandline equivalent
473 ARGUS_FILTER=""
476
480 Argus allows you to capture packets in tcpdump() format if the source
481 of the packets is a tcpdump() formatted file or live packet source.
482 Specify the path to the packet capture file here.
484 ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out"
486
490 Argus supports the use of SASL to provide strong authentication and
491 confidentiality protection.
492 The policy that argus uses is controlled through the use of a minimum
494 and maximum allowable protection strength, which is standard for SASL
495 based appliations. Set these variable to control this policy. The
496 default is no security policy.
497 ARGUS_MIN_SSF=0
499 ARGUS_MAX_SSF=0
500
504 Argus supports setting the pcap buffer size. You can use the abbrevia‐
505 tions K, M, G to specify thousands, millions or billions of bytes.
506 ARGUS_PCAP_BUF_SIZE=1G
508
512 Argus supports setting environment variables to enable functions
513 required by the kernel or shared libraries. This feature is intended
514 to support libraries such as the net pf_ring support for libpcap as
515 supported by code at http://public.lanl.gov/cpw/
516 Setting environment variables in this way does not affect internal
518 argus variable in any way. As a result, you can't set ARGUS_PATH using
519 this feature.
520 Care should must be taken to assure that the value given the variable
522 conform's to your systems putenv.3 system call. You can have as many
523 of these directives as you like.
524 The example below is intended to set a libpcap ring buffer length to
526 300MB, if your system supports this feature.
527 ARGUS_ENV="PCAP_MEMORY=300000"
529
533 Argus can be configured to discover tunneling protocols above the UDP
534 transport header, specifically Teredo (IPv6 over UDP). The algorithm
535 is simple and so, having this on by default may generate false tunnel
536 matching.
537 The default is to not turn this feature on.
539 ARGUS_TUNNEL_DISCOVERY=no
542
546 Argus supports the generation of host originated processes to gather
547 additional data and statistics. These include periodic processes to
548 poll for SNMP data, as an example, or to collect host statistics
549 through reading procfs(). Or single run programs that run at a speci‐
550 fied time.
551 These argus events, are generated from the complete list of
553 ARGUS_EVENT_DATA directives that are specified here.
554 The syntax is:
556 Syntax is: "method:path|prog:interval[:postproc]"
557 Where: method = [ "file" | "prog" ]
558 pathname | program = "%s"
559 interval = %d[smhd] [ zero means run once ]
560 postproc = [ "compress" | "compress2" ]
561 ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress"
564 ARGUS_EVENT_DATA="prog:/usr/local/bin/ralsof:30s:compress"
565
569 This version of Argus supports keystroke detection and counting for TCP
570 connections, with specific algorithmic support for SSH connections.
571 The ARGUS_KEYSTROKE variable turns the feature on. Values for this
573 variable are:
574 ARGUS_KEYSTROKE="yes" - turn on TCP flow tracking
575 ARGUS_KEYSTROKE="tcp" - turn on TCP flow tracking
576 ARGUS_KEYSTROKE="ssh" - turn on SSH specific flow tracking
577 ARGUS_KEYSTROKE="no" [default]
578 The algorithm uses a number of variables, all of which can be modifed
580 using the ARGUS_KEYSTROKE_CONF descriptor, which is a semicolon (';')
581 separated set of variable assignments. Here is the list of supported
582 variables:
583 DC_MIN - (int) Minimum client datagram payload size in bytes
584 DC_MAX - (int) Maximum client datagram payload size in bytes
585 GS_MAX - (int) Maximum server packet gap
586 DS_MIN - (int) Minimum server datagram payload size in bytes
587 DS_MAX - (int) Maximum server datagram payload size in bytes
588 IC_MIN - (int) Minimum client interpacket arrival time (microseconds)
589 LCS_MAX - (int) Maximum something - Not sure what this is
590 GPC_MAX - (int) Maximum client packet gap
591 ICR_MIN - (float) Minimum client/server interpacket arrival ratio
592 ICR_MAX - (float) Maximum client/server interpacket arrival ratio
593 All variables have default values, this variable is used to override
595 those values. The syntax for the variable is:
596 ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20"
597 ARGUS_KEYSTROKE="no"
599 ARGUS_KEYSTROKE_CONF=""
600
603 argus(8)
604argus.conf 3.0.8 07 November 2000 ARGUS.CONF(5)