1ARGUS(8) System Manager's Manual ARGUS(8)
2
6 argus - audit record generation and utilization system
7
9 argus [ options ] [ filter expression ]
10
12 Copyright (c) 2000-2004 QoSient, LLC All rights reserved.
13
15 Argus is an IP transaction auditing tool that categorizes IP packets
16 which match the boolean expression into a protocol-specific network
17 transaction model. Argus reports on the transactions that it discov‐
18 ers, as they occur.
19 Designed to run as a daemon, argus generally reads packets directly
21 from a network interface, and writes the transaction status information
22 to a log file or open socket connected to an argus client (such as
23 ra(1)). Argus can also read packet information from tcpdump(1) ,
24 snoop(1) or NLANR's Moat Time Sequence Header raw packet files. Argus
25 can also be configured to write its transaction logs to stdout.
26 Argus provides access control for its socket connection facility using
28 tcp_wrapper technology. Please refer to the tcp_wrapper distribution
29 for a complete description.
30
32 -b Dump the compiled packet-matching code to stdout and stop. This
33 is used to debug filter expressions.
34 -B Only bind to the specified IP address (remote access must be
36 enabled by a non-zero port).
37 -c Generate system pid file. This will cause argus to create a pid
39 file that can be used to control the number of argi running on a
40 system. The default pid file directory is /var/run, and
41 $ARGUSHOME, when the OS does not suppor /var/run.
42 -d Run argus as a daemon. This will cause argus to do the things
44 that Unix daemons do and return, if there were no errors, with
45 argus running as a detached process.
46 -D <level> Print debug messages to stderr. The higher the <level>
48 the more information printed. Acceptable levels are 1-8.
49 -e <value> Specify the source identifier for this argus. Acceptable
51 values are numbers, hostnames or ip address.
52 -h Print an explanation of all the arguments.
54 -F Use conffile as a source of configuration information. Options
56 set in this file override any other specification, and so this is
57 the last word on option values.
58 -I <number> Specify the <number> of instances that are concurrently
60 allowed. The default is 1. This is impacts the pid file strategy
61 for argus.
62 -i <interface> Specify the physical network <interface> to be
64 audited. The default is the first network interface that is up
65 and running.
66 -J Generate packet peformance data in each audit record.
68 -M <secs> Specify the interval in <secs> of argus status records.
70 These records are used to report the internal status of argus
71 itself. The default is 300 seconds.
72 -m Don't provide MAC addresses information in argus records.
74 -n <directory> Specify the pid file directory. This overrides the
76 default directory location, which is /var/run, or $ARGUSHOME if
77 /var/run is not available. This switch implies the -c switch.
78 -O Turn off Berkeley Packet Filter optimizer. No reason to do this
80 unless you think the optimizer generates bad code.
81 -p Do not set the physical network interface in promiscuous mode. If
83 the interface is already in promiscuous mode, this option may have
84 no effect. Do this to audit only the traffic coming to and from
85 the system argus is running on.
86 -P <portnum> Specifies the <portnum> for remote client connection.
88 The default is to not support remote access. Setting the value to
89 zero (0) will forceably turn off the facility.
90 -r Read from tcpdump(1) , snoop(1) or NLANR's Moat Time Sequence
92 Header (tsh) packet capture files. If the packet capture file is
93 a tsh format file, then the -t option must also be used. Argus
94 will read from only one input packet file at a time. If the -r
95 option is specified, argus will not put down a listen(2) to sup‐
96 port remote access.
97 -R Generate argus records such that response times can be derived
99 from transaction data.
100 -S <secs> Specify the status reporting interval in <secs> for all
102 traffic flows.
103 -t Indicate that the expected packet capture input file is a NLANR's
105 Moat Time Sequence Header (tsh) packet capture file.
106 -U Specify the number of user bytes to capture.
108 -w <file ["filter"] Write transaction status records to output-file.
110 An output-file of '-' directs argus to write the resulting argus-
111 file output to stdout.
112 -X Clear existing argus configuration. This removes any initializa‐
114 tion done prior to encountering this flag. Allows you to elimi‐
115 nate the effects of the /etc/argus.conf file, or any argus.conf
116 files that may have been loaded.
117 expression
119 This tcpdump(1) expression specifies which transactions will be
120 selected. If no expression is given, all transactions are
121 selected. Otherwise, only transactions for which expression is
122 `true' will be dumped. For a complete expression format descrip‐
123 tion, please refer to the tcpdump(1) man page.
124
127 Argus catches a number of signal(3) events. The three signals SIGHUP,
128 SIGINT, and SIGTERM cause argus to exit, writing TIMEDOUT status
129 records for all currently active transactions. The signal SIGUSR1 will
130 turn on debug reporting, and subsequent SIGUSR1 signals, will increment
131 the debug-level. The signal SIGUSR2 will cause argus to turn off all
132 debug reporting.
133
136 $ARGUSHOME - Argus Root directory
137
140 /etc/argus.conf - argus daemon configuration file
141 /var/run/argus_os.pid - default PID file nameing convention
142
145 Run argus as a daemon, writing all its transaction status reports to
146 output-file. This is the typical mode.
147 argus -d -e `hostname` -w output-file
148 If ICMP traffic is not of interest to you, you can filter out ICMP
150 packets on input.
151 argus -w output-file - ip and not icmp
152 Argus supports both input filtering and output filtering, and argus
154 supports multiple output streams, each with their own independant fil‐
155 ters.
156 If you are interested in tracking IP traffic only (input filter) and
158 want to report ICMP traffic in one output file, and all other IP traf‐
159 fic in another file.
160 argus -w outfile1 "icmp" -w outfile2 "not icmp" - ip
161 Audit the network activity that is flowing between the two gateway
163 routers, whose ethernet addresses are 00:08:03:2D:42:01 and
164 00:00:0C:18:29:F1. Without specifying an output-file, it is assumed
165 that the transaction status reports will be written to a remote client.
166 In this case we have changed the port that the remote client will use
167 to port 430/tcp.
168 argus -P 430 ether host (0:8:3:2d:42:1 and 0:0:c:18:29:f1) &
169 Audit each individual ICMP ECHO transaction. You would do this gather
171 Round Trip Time data within your network. Write the output to output-
172 file.
173 argus -R -w output-file "echo" - icmp
174 Audit all NFS transactions involving the server fileserver and increase
176 the reporting interval to 3600 seconds (to provide high data reduc‐
177 tion). Write the output to output-file.
178 argus -S 3600 -w output-file udp and port 2049 &
179
181 Carter Bullard (carter@qosient.com)
182
184 argus.conf(5), hosts_access(5), hosts_options(5), tcpd(8), tcpdump(1)
185 10 November 2000 ARGUS(8)