ARGUS(8)ARGUS(8)NAME
argus - audit record generation and utilization system
SYNOPSIS
argus [ options ] [ filter expression ]
COPYRIGHT
Copyright (c) 2000-2008 QoSient, LLC All rights reserved.
DESCRIPTION
Argus is an IP transaction auditing tool that categorizes IP packets
which match the boolean expression into a protocol-specific network
transaction model. Argus reports on the transactions that it discov‐
ers, as they occur.
Designed to run as a daemon, argus generally reads packets directly
from a network interface, and appends the transaction status informa‐
tion to a log file or open socket connected to an argus client (such as
ra(1)). Argus can also read packet information from tcpdump(1) ,
snoop(1) or NLANR's Moat Time Sequence Header raw packet files. Argus
can also be configured to append its transaction logs to stdout.
Argus provides access control for its socket connection facility using
tcp_wrapper technology. Please refer to the tcp_wrapper distribution
for a complete description.
OPTIONS-A Generate application byte metrics in each audit record.
-b Dump the compiled packet-matching code to stdout and stop. This
is used to debug filter expressions.
-B <addr> Specify the bind interface address for remote access.
Acceptable values are IP version 4 addresses. The default is to
bind to INADDR_ANY address.
-c <dir> Specify a chroot directory to use after privilege access is
complete. Must be super user to use this option.
-d Run argus as a daemon. This will cause argus to do the things
that Unix daemons do and return, if there were no errors, with
argus running as a detached process.
-D <level> Print debug messages to stderr. The higher the <level>
the more information printed. Acceptable levels are 1-8.
-e <value> Specify the source identifier for this argus. Acceptable
values are numbers, hostnames or ip address.
-F Use conffile as a source of configuration information. Options
set in this file override any other specification, and so this is
the last word on option values.
-g <group> Specify a group name to change to after privilege access
is complete.
-h Print an explanation of all the arguments.
-i <interface> Specify the physical network <interface> to be
audited. The default is the first network interface that is up
and running.
-J Generate packet peformance data in each audit record.
-M <secs> Specify the interval in <secs> of argus status records.
These records are used to report the internal status of argus
itself. The default is 300 seconds.
-m Provide MAC addresses information in argus records.
-N <packet count>|<packet range>
Specify the number of packets to process. You can give an abso‐
lute number, or a range with the syntax "start-stop". Examples
are:
-N 27 - read the first 27 packets.
-N 1034-1434 - read 100 packets starting with 1034.
-O Turn off Berkeley Packet Filter optimizer. No reason to do this
unless you think the optimizer generates bad code.
-p Do not set the physical network interface in promiscuous mode. If
the interface is already in promiscuous mode, this option may have
no effect. Do this to audit only the traffic coming to and from
the system argus is running on.
-P <portnum> Specifies the <portnum> for remote client connection.
The default is to not support remote access. Setting the value to
zero (0) will forceably turn off the facility.
-r <file file ... >
Read from tcpdump(1) , snoop(1) or NLANR's Moat Time Sequence
Header (tsh) packet capture files. If the packet capture file is
a tsh format file, then the -t option must also be used. The file
"-" specifies stdin as the source of packets. Argus will read
from only one input packet file at a time, and will open the files
in lexigraphic order. Care should be taken to ensure that the
timestamps in the packets are ordered, or unexpected behavior may
result. If the -r option is specified, argus will not put down a
listen(2) to support remote access.
-R Generate argus records such that response times can be derived
from transaction data.
-S <secs> Specify the status reporting interval in <secs> for all
traffic flows.
-t Indicate that the expected packet capture input file is a NLANR's
Moat Time Sequence Header (tsh) packet capture file.
-T timescale
Specify a playback timescale for realtime processing of input
packets.
-u <user> Specify an account name to change to after privilege access
is complete.
-U Specify the number of user bytes to capture.
-w <file ["filter"] Append transaction status records to output-file.
An output-file of '-' directs argus to write the resulting argus-
file output to stdout.
-X Clear existing argus configuration. This removes any initializa‐
tion done prior to encountering this flag. Allows you to elimi‐
nate the effects of the /etc/argus.conf file, or any argus.conf
files that may have been loaded.
expression
This tcpdump(1) expression specifies which transactions will be
selected. If no expression is given, all transactions are
selected. Otherwise, only transactions for which expression is
`true' will be dumped. For a complete expression format descrip‐
tion, please refer to the tcpdump(1) man page.
SIGNALS
Argus catches a number of signal(3) events. The three signals SIGHUP,
SIGINT, and SIGTERM cause argus to exit, writing TIMEDOUT status
records for all currently active transactions. The signal SIGUSR1 will
turn on debug reporting, and subsequent SIGUSR1 signals, will increment
the debug-level. The signal SIGUSR2 will cause argus to turn off all
debug reporting.
ENVIRONMENT
$ARGUSHOME - Argus Root directory
$ARGUSPATH - Argus.conf search path (/etc:$ARGUSHOME:$HOME)
FILES
/etc/argus.conf - argus daemon configuration file
/var/run/argus.#.#.pid - PID file
EXAMPLES
Run argus as a daemon, writing all its transaction status reports to
output-file. This is the typical mode.
argus -d -e `hostname` -w output-file
If ICMP traffic is not of interest to you, you can filter out ICMP
packets on input.
argus -w output-file - ip and not icmp
Argus supports both input filtering and output filtering, and argus
supports multiple output streams, each with their own independant fil‐
ters.
If you are interested in tracking IP traffic only (input filter) and
want to report ICMP traffic in one output file, and all other IP traf‐
fic in another file.
argus -w outfile1 "icmp" -w outfile2 "not icmp" - ip
Audit the network activity that is flowing between the two gateway
routers, whose ethernet addresses are 00:08:03:2D:42:01 and
00:00:0C:18:29:F1. Without specifying an output-file, it is assumed
that the transaction status reports will be written to a remote client.
In this case we have changed the port that the remote client will use
to port 430/tcp.
argus -P 430 ether host (0:8:3:2d:42:1 and 0:0:c:18:29:f1) &
Audit each individual ICMP ECHO transaction. You would do this gather
Round Trip Time data within your network. Append the output to output-
file.
argus -R -w output-file "echo" - icmp
Audit all NFS transactions involving the server fileserver and increase
the reporting interval to 3600 seconds (to provide high data reduc‐
tion). Append the output to output-file.
argus -S 3600 -w output-file udp and port 2049 &
AUTHORS
Carter Bullard (carter@qosient.com)
SEE ALSOhosts_access(5), hosts_options(5), tcpd(8), tcpdump(1)
10 November 2000 ARGUS(8)
