Difference between revisions of "Argus"

From WTFwiki
Jump to navigation Jump to search
(break out subrules into its own section, fix formatting, add comment-parsing)
m (12 revisions)
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
== Background ==
 
== Background ==
  
* [http://www.qosient.com/argus/ Argus] is deployed in such a way that it listens on localhost:561 and does not write to disk.  This saves load on the daemon and functionality doesn't change, it just gets easier.
+
* In the following setup, [http://www.qosient.com/argus/ Argus] is deployed in such a way that it listens on localhost:1561 and does not write to disk.  Additional instances of argus (for additional capture interfaces, etc) follow the same scheme, but listening on the next available port (ie. 1562).  This saves load on the daemon and functionality doesn't change, it just gets easier.
* This deployment was on a filtering bridge between an ineffective proprietary firewall and a sizable LAN during the course of redeployment of the firewall.
+
* This deployment was on a high-powered SMP-enabled machine with 8GB of RAM and a 1TB ZFS pool to play with.
* All commands run inside screen(1) for usability's sake.
+
* It is used at an ISP with gigabit speed links everywhere, and a substantial amount of internet-bound traffic.  Most common use here is at the internet edge for troubleshooting and statistics-gathering.
 +
== Commands ==
 +
=== rasplit ===
  
 
+
* argus(8) will write to a file directly, but we need something that will do it more intelligently; rasplit(1) does the job.
== rasplit ==
+
* Using radium(8), you can use the srcid field to your advantage. The following writes out each srcid to its own flow file, so you can easily aggregate multiple argus(8) sources on one storage machine.
 
 
* Since argus(8) doesn't write to a file directly, we needed something that will; rasplit(1) does the job.
 
* A script was written like this to facilitate easier starting/stopping of rasplit(1):
 
 
 
  #!/bin/sh
 
 
  rasplit -M time 10m -n -S localhost -w "/usr/local/argus/log/%Y/%m/%d/argus_%H:%M:%S"
 
   
 
  exit
 
 
 
* That script writes everything to its own year/month/day/argus_hour:minute:second file cycled every 10mins but keeping sessions in their proper place historically.
 
 
 
 
 
== ratop ==
 
 
 
* ratop(1) is in use for a reasonably real-time view of running sessions. To facilitate its use, we needed to slim down known-good traffic to make the display reasonable to read.  This LAN gets a lot of in/outbound traffic and it just isn't feasible to watch it all.
 
* So, in keeping with the scenario, a script called "rattop" was written:
 
 
 
  #!/bin/sh
 
 
   
 
   
   ratop -n -S localhost - `/usr/local/argus/bin/subrules.rb`
+
   rasplit -d -S localhost:561 -M time 10m -w /argus/archive/%Y-%m/%d/\$srcid--%Y.%m.%d-%H.%M.%s
  exit
 
 
 
== subrules ==
 
 
 
* This script is standalone and uses a ruby script that "parses" a list of BPF syntax filters from a file.
 
* The ruby script is as such (subrules.rb):
 
  
<pre>
+
* That script writes everything to its own year-month/day/srcid--year.month.day-hour.minute.second file cycled every 10mins but keeping sessions in their proper place historically.
#!/usr/bin/env ruby
+
* It is important to backslash-escape the "srcid" variable, or it'll get shell-replaced with whatever equals $srcid in your environment (probably nothing.)
#
 
# 2007-01-25 -- jontow@
 
#
 
 
f = File.open('/usr/local/argus/etc/bpf.rules', 'r')
 
outrules = ''
 
  
f.each do |line|
+
=== ratop ===
      if line =~ /^#/
 
              # comment, skip it
 
      elsif line =~ /^$/
 
              # blank line, skip it
 
      else
 
              outrules += line.gsub(/\n$/, ' ')
 
      end
 
end
 
puts outrules
 
exit
 
</pre>
 
  
* The ruleset will be detailed below in the ra(1) section.
+
* ratop(1) is in use for a reasonably real-time view of running sessions.  To facilitate its use, we needed to slim down known-good traffic to make the display reasonable to read. This network gets a lot of in/outbound traffic and it just isn't feasible to watch it all.
* "rattop" runs without any arguments.  To define the ruleset, modify the File.open line above.
 
  
 +
  ratop -n -S localhost - `xargs </path/to/filterfile.txt`
  
== ra ==
+
=== ra ===
  
* The final (but most important piece) is the script called "rattail" that is used for real-time display of session data:
+
* ra(1) can be used as a shim between other commands for filtering, display, whatever
 +
* ra(1) is most often used for ~realtime monitoring of the data
 +
* When combined with [[multitail|Multitail]](1), you can have a colored display of traffic based upon its categorization.
  
 
   #!/bin/sh
 
   #!/bin/sh
 
   
 
   
   multitail -cS ra -ev llc -l 'ra -n -S localhost - `cat /usr/local/argus/etc/bpf.rules`'
+
   multitail -cS ra -ev llc -l 'ra -n -S localhost - `cat /path/to/filterfile.txt`'
 
   exit
 
   exit
 
+
== Configuration ==
* It (rattail) is used with [[multitail|Multitail]](1) to have a colored display of traffic based upon its categorization.
+
=== The Ruleset(tm) (filterfile.txt) ===
 
 
 
 
== The Ruleset(tm) ==
 
  
 
* The ruleset is simply the same filter syntax that one uses on the command line with argus clients, but split so that it is readable on a line basis.
 
* The ruleset is simply the same filter syntax that one uses on the command line with argus clients, but split so that it is readable on a line basis.
* Example ruleset (bpf.rules):
+
* Example ruleset (filterfile.txt):
  
 
   not arp and
 
   not arp and
Line 85: Line 44:
 
   not ((dst port 80 or dst port 443) and (dst host 192.168.1.152 or dst host 192.168.1.160))
 
   not ((dst port 80 or dst port 443) and (dst host 192.168.1.152 or dst host 192.168.1.160))
  
* The ruleset is simply a means of visually ignoring traffic that we KNOW is supposed to / can be there.  It shows simply what is leftover after accounting for everything valid, therefor showing only questionable traffic.
+
* The ruleset is simply a means of visually filtering traffic that we KNOW is supposed to / can be there.  If used as above in the negated manner ("not ..."), it shows simply what is leftover after accounting for everything valid, therefor showing only questionable traffic.
  
 
== External Links ==
 
== External Links ==

Latest revision as of 21:47, 4 January 2013

Background

  • In the following setup, Argus is deployed in such a way that it listens on localhost:1561 and does not write to disk. Additional instances of argus (for additional capture interfaces, etc) follow the same scheme, but listening on the next available port (ie. 1562). This saves load on the daemon and functionality doesn't change, it just gets easier.
  • This deployment was on a high-powered SMP-enabled machine with 8GB of RAM and a 1TB ZFS pool to play with.
  • It is used at an ISP with gigabit speed links everywhere, and a substantial amount of internet-bound traffic. Most common use here is at the internet edge for troubleshooting and statistics-gathering.

Commands

rasplit

  • argus(8) will write to a file directly, but we need something that will do it more intelligently; rasplit(1) does the job.
  • Using radium(8), you can use the srcid field to your advantage. The following writes out each srcid to its own flow file, so you can easily aggregate multiple argus(8) sources on one storage machine.
 rasplit -d -S localhost:561 -M time 10m -w /argus/archive/%Y-%m/%d/\$srcid--%Y.%m.%d-%H.%M.%s
  • That script writes everything to its own year-month/day/srcid--year.month.day-hour.minute.second file cycled every 10mins but keeping sessions in their proper place historically.
  • It is important to backslash-escape the "srcid" variable, or it'll get shell-replaced with whatever equals $srcid in your environment (probably nothing.)

ratop

  • ratop(1) is in use for a reasonably real-time view of running sessions. To facilitate its use, we needed to slim down known-good traffic to make the display reasonable to read. This network gets a lot of in/outbound traffic and it just isn't feasible to watch it all.
 ratop -n -S localhost - `xargs </path/to/filterfile.txt`

ra

  • ra(1) can be used as a shim between other commands for filtering, display, whatever
  • ra(1) is most often used for ~realtime monitoring of the data
  • When combined with Multitail(1), you can have a colored display of traffic based upon its categorization.
 #!/bin/sh

 multitail -cS ra -ev llc -l 'ra -n -S localhost - `cat /path/to/filterfile.txt`'
 exit

Configuration

The Ruleset(tm) (filterfile.txt)

  • The ruleset is simply the same filter syntax that one uses on the command line with argus clients, but split so that it is readable on a line basis.
  • Example ruleset (filterfile.txt):
 not arp and
 not rtp and
 not rtcp and
 not port 22 and
 not host 192.168.1.10 and
 not ((dst port 80 or dst port 443) and (dst host 192.168.1.152 or dst host 192.168.1.160))
  • The ruleset is simply a means of visually filtering traffic that we KNOW is supposed to / can be there. If used as above in the negated manner ("not ..."), it shows simply what is leftover after accounting for everything valid, therefor showing only questionable traffic.

External Links