Skip to content
Argus Monitor edited this page Jun 22, 2024 · 31 revisions

Welcome

Welcome to the openargus clients wiki! Here we'll try to use the powers of GitHub to develop some new features.

Argus 5.0.0

In Argus 5.0 we moved some of ArgusPro's features to the open source, such as 128-bit Argus source id's, Argus events, expanded behavioral analytics, json processing, importing other flow data into the Argus processing system, enhanced content capture and processing, and new tunnel support.

Argus 5.0 is focused on generating argus data in as many points in the network as possible, including external and internal high speed links, workgroup edges, endpoints and wireless access points. This is important to addressing the cyber security challenges that enterprises face today. This involves granular visibility inside the enterprise, to support effective cyber detection and forensics. With increased network visibility inside the enterprise, there are new opportunities for sophisticated detections by correlating data from multiple points in the network at or near the same time.

Because Argus has already been ported to most endpoint operating systems and OpenWRT access points, we have a good start on getting a lot of sensors into an environment. As a part of improving visibility throughout the network, we're also going to import data from other flow systems. Argus already processes NetFlow and IPFIX records, but there are a lot of other flow data strategies out there. In particular, we'll want to import Zeek connection logs, as many organizations generate Zeek data, Google VPC flows, and possibly some of the single letter flows, like Qflow, Jflow, and maybe Kflow records.

Argus Support in the Endpoint

The open source argus code is very portable, and runs in a number of operating systems, including Linux and it's variants, RHEL, Rocky, Ubuntu, Debian, Kali, FreeBSD, CentOS, Fedora, OpenSUSE, (and all of these subvariants), Windows, MacOS, AIX, SunOS, HPUX, Solaris, IRIX, CrayOS, VxWorks, PSoS, and OpenWRT, so we have a good start.

Argus 5.0 sensors run great in endpoints, and with a few changes to libpcap, we can attain < 0.5% avg CPU utilization for an argus daemon on most commercial endpoints (Windows, MacOS, Linux). There are specific features that are useful to achieve complete network accountability on endpoints, as there are a lot of interfaces types that exist that we all would like to monitor. BlueTooth interfaces, RadioTaps, USB devices, VPNs, even docker interfaces are fair game for monitoring in an endpoint. And of course there are a lot of different types of endpoints now ... cloud based VMs and containers are an important part of the mix.

To improve managing large numbers of endpoint sensors, argus supports using the hostuuid as the argus source id. With this feature, argus can be deployed as a zero-configuration daemon (no conf file mods needed), and to improve visibility on endpoints, argus will generally add the 'inf' to the flow key of every flow it monitors. This means that argus-clients should expect from endpoint argi flow data that has a 128-bit source id, and a 4-char interface identifier, where the flow was monitored.

128-bit ARGUS_MONITOR_ID's are pretty unwieldy. To make data processing easier, all ra* programs can use a RA_SRCID_ALIAS file to alias short names for the big uuid identifiers. The aliases are "node"s and can be printed, filtered, etc ...

[carter@red clients]$ ra -S localhost -up 3 -s stime dur proto saddr dir daddr pkts bytes node inf StartTime Dur Proto SrcAddr Dir DstAddr TotPkts TotBytes Node Inf 1719084297.354 5.257 man 0 4294560399 174 0 red man0 1719084297.079 0.000 igmp 192.168.1.17 -> 239.255.255.250 1 60 red e0s5 1719084297.361 4.912 udp 192.168.1.82 -> 224.0.0.251 19 6864 red e0s5 1719084297.928 4.003 udp 192.168.1.131 -> 239.255.255.250 3 366 red e0s5 1719084298.113 0.000 llc 80:5e:c0:c2:60:ca -> 01:00:0c:cc:cc:cc 1 117 red e0s5 1719084298.856 4.388 tcp 192.168.1.254 <?> 192.168.1.49 90 9076 red e0s5 1719084299.217 4.996 udp fe80::7e64:6cff:f* -> ff02::fb 14 6511 red e0s5

will try to bring the experiences we've had in porting Argus and in trying to come up with some basic zero-configuration strategies for getting complete network accountability.

Converting Zeek conn.logs to Argus Records

Argus can natively read Netflow V 4,5 and flow-tools flow formats. And as of argus-clients.3.0.8.4 argus can convert json formatted Zeek conn.logs into Argus binary formats using our existing program raconvert.1 ... Json because we added json processing into the argus client library, but we can just as easily do non-json formats as well.

We extended raconvert.1 to take in a conversion map, using the '-f conversion.map' command-line option. And the specific support for converting zeek con logs is done through the support/Config/raconvert.zeek.conf file. This sample raconvert conversion map, should work for all the basic zeek conn.log variables, and as new are added, this file will need to be updated.

Converting Google VPC Logs to Argus Records

raconvert.1 can convert any json formatted string into a flow record, if it contains a minimum set of flow identifiers. Start time, an IP address or name, some metrics and optionally some metadata, is all that is needed.

This approach should work very well with Google VPC flow logs. If we can find some real examples of VPC flow logs, we can generate a raconvert.google.conf conversion map. Should be pretty easy ...

Clone this wiki locally