Difference between revisions of "Argus"
Jump to navigation
Jump to search
(add the madness (argus page)) |
(No difference)
|
Revision as of 10:58, 29 January 2007
Background
- Argus is deployed in such a way that it listens on localhost:561 and does not write to disk. This saves load on the daemon and functionality doesn't change, it just gets easier.
- This deployment was on a filtering bridge between an ineffective proprietary firewall and a sizable LAN during the course of redeployment of the firewall.
- All commands run inside screen(1) for usability's sake.
rasplit
- Since argus(8) doesn't write to a file directly, we needed something that will; rasplit(1) does the job.
- A script was written like this to facilitate easier starting/stopping of rasplit(1):
#!/bin/sh rasplit -M time 10m -n -S localhost -w "/usr/local/argus/log/%Y/%m/%d/argus_%H:%M:%S" exit
- That script writes everything to its own year/month/day/argus_hour:minute:second file cycled every 10mins but keeping sessions in their proper place historically.
ratop
- ratop(1) is in use for a reasonably real-time view of running sessions. To facilitate its use, we needed to slim down known-good traffic to make the display reasonable to read. This LAN gets a lot of in/outbound traffic and it just isn't feasible to watch it all.
- So, in keeping with the scenario, a script called "rattop" was written:
#!/bin/sh ratop -n -S localhost - `/usr/local/argus/bin/subrules.rb` exit
- This script is standalone and uses a ruby script that "parses" a list of BPF syntax filters from a file.
- The ruby script is as such (subrules.rb):
#!/usr/bin/env ruby # # 2007-01-25 -- jontow@ # f = File.open('/usr/local/argus/etc/bpf.rules', 'r') outrules = f.each do |line| outrules += line.gsub(/\n$/, ' ') end puts outrules exit
- The ruleset will be detailed below in the ra(1) section.
- "rattop" runs without any arguments. To define the ruleset, modify the File.open line above.
ra
- The final (but most important piece) is the script called "rattail" that is used for real-time display of session data:
#!/bin/sh multitail -cS ra -ev llc -l 'ra -n -S localhost - `cat /usr/local/argus/etc/bpf.rules`' exit
- It (rattail) is used with Multitail(1) to have a colored display of traffic based upon its categorization.
The Ruleset(tm)
- The ruleset is simply the same filter syntax that one uses on the command line with argus clients, but split so that it is readable on a line basis.
- Example ruleset (bpf.rules):
not arp and not rtp and not rtcp and not port 22 and not host 192.168.1.10 and not ((dst port 80 or dst port 443) and (dst host 192.168.1.152 or dst host 192.168.1.160))
- The ruleset is simply a means of visually ignoring traffic that we KNOW is supposed to / can be there. It shows simply what is leftover after accounting for everything valid, therefor showing only questionable traffic.