openargus / argus-5.0

Argus sensor
https://openargus.org
GNU General Public License v3.0
3 stars 0 forks source link

.. image:: logo/argus_logo_medium-6aac34a9.png :alt: Argus

Argus is the first network flow technology, developed by Carter Bullard in 1984 at the Georgia Instiute of Technology. Argus became a dedicated realtime network operations and performance monitor for the NSFnet backbone and the GaTech network by 1985, getting data from packet taps from IBMs core NSFnet routers and GaTech's campus edge switches. Network flow monitoring got its cyber security debut in 1986-1987 when Argus was used to detect the Legion of Doom's breakins of Equifax and Bell South. Argus provided critical network visibility during the infamous Morris Worm attack that devastated the ArpaNet and NSFnet in 1988, revealing the network techniques used by the worm. Carter continued developing Argus when he moved to the Computer Emergency Response Team (CERT) at Carnegie Mellon University's Software Engineering Institute in late 1989, where it was adapted for incident analysis and forensics data development. Argus was released as open source in 1994, and Carter has maintained the project since then.

There have been a number of network flow technologies developed, primarily by US Federally Funded Research and Development Centers (FFRDC), network equipment manufacturers like Cisco, Juniper, which are fondly referred to as the 'Alphabet' flows. Standards orgs have developed several flow systems, and the IETF has developed an RFC for representing the data generated by flow systems, IPFIX. Each of these systems have their strengths and limitaions.

The goal of the Argus project is to provide proof of concept innovative and leading edge capabilities for network flow technology. Argus was the first bi-directional flow sensor, it was the first flow technology to capture packet content, it was first to provide IP fragmentation tracking, it was the first FDDI, ATM and Infiniband flow sensor, it was first to generate IPv6 flow records, it was the first flow technology to capture packet dynamic metrics, first routing protocol flow sensor (ISIS), first for behavioral metrics such as keystroke detection, and during its 40 year lifetime, Argus was the first 1M, 10M, 100M, 1G, 10G and also the first demonstrated 100G non-statistical flow sensor. Some of these first's are still powerful distinquishing features not seen in other flow systems today. Primarily, Argus is a comprehensive network flow system, in that it classifies and accounts for any and all network activity, not just IP traffic, or just DNS or HTTP traffic. Argus based comprehensive network flow monitoring has been successfully deployed at scale throughout the US DoD, the US Gov't in projects such as the US National Science Foundation GLORIAD network, as well as in a large number of private enterprise networks, using the open source software provided by this site.

This package contains the argus network audit sensor that processes raw packet data, from either a file or from network inteface(s), and generates network flow activity status records. The status records can be available for near real-time analytic processing, as you would want for operational fault analysis or real-time intrusion detection, or can be stored and used to generate a network activity audit information system.

Use the accompaning argus-clients-5.0 tools to collect, process, print, graph, store, filter, compare, archive and manage the data that Argus generates.

To install the software and get started, see the ./INSTALL file. For answers to many questions, please see the argus web site at http://qosient.com/argus.

The Argus 5.0 has been ported to MacOS, VxWorks, AIX, HPUX, Irix, Onix, SunOS, Solaris, Linux, FreeBSD, OpenBSD, NetBSD, BSD Unix, UniCos, Cygwin and OpenWRT, to name just a few, and the argus client software has been successfully used under most if not all the same platforms. If you port Argus to another system, please let us know on the mailing list.

We encourage you to use the './bin/argusbug' script when posting bug reports about Argus. Argusbug will gather some information about your system and start your editor with a form in which you can describe your problem. Delete information that you consider non-relevant to your problem. Bug reports not generated by Argusbug may be silently ignored by the Argus maintainers, so please use consider using the tool.

Email that reports that 'Argus does not work. Why?' will be completely ignored.

Again, thank you for your interest in Argus. I hope that you find the software useful.

:Authors: Carter Bullard

:Version: 5.0 as of 2023/11/20