argus on OSX with fink or on CentOS el6
At work, I’m happy to see it’s pretty easy to build argus and argus-clients from source on CentOS6.
Install argus and argus-clients via fink:
fink install argus argus-clients
Install argus and argus-clients by building from source on el6:
yum -y install gcc make bison libpcap libpcap-devel cyrus-sasl ncurses-devel flex mysql mysql-server mysql-devel mysql-libs cd wget http://qosient.com/argus/src/argus-latest.tar.gz http://qosient.com/argus/src/argus-clients-latest.tar.gz tar zxvf argus-latest.tar.gz cd argus-* ./configure make && make install cd tar zxvf argus-clients-latest.tar.gz cd argus-clients-* ./configure make && make install
The ./configure script is not very verbose, and won’t die on many errors. I had a problem with the geoip library, even when specifying the location with the ./configure argument. strace ratop showed where the ra programs expect libGeoIP.so.1. I just created a symlink. Also, rasql* was missing due to the system not having the mysql-* packages installed during build. I went back to the source directory, make uninstall, deleted the source directory, installed the mysql-* packages, ./configure && make && make install and the rasql* binaries were installed as intended.
bind argus to eth0 (located via ifconfig):
argus -d -i eth0 -P 561 not host [local IP address(es)]
connect ratop to the argus server:
ratop -S localhost:561
Then type :h while in ratop for help.
The default view in ratop contains:
- Start time of…
- Duration of…
- Source: address, port, packets, bytes
- Destination: address, port, packets, bytes
- Direction of state
A very important point about argus and the ra* clients:
All the ra* clients can attach to an argus data stream, from the argus process or from stdout of another ra* client. This last point might be lost on you, but is of crucial importance.
An example of connecting to an argus stream and piping non-ASCII stdout of an ra* client to an ra* client for storage of records (rasqlinsert), can be found within the post Configure argus clients to have access to country code.
You will see that accepting a read (-r) from stdin (-) allows records to be processed as you desire.
argus: getting started
Dump argus to sql.
Live display: Leverage a chord diagram (using a design described as circos) for three axis comparison which can be refocused (ex: src addr, dst addr, bytes)
Live display: Leverage a time line display for two axis comparison
Design SQL db so that it easily allows for reduction of data of data over time/a slower store cause by compression… utilizing age thresholds.
The idea of live coding will help me gain some understanding.