Home > Uncategorized > argus on OSX with fink or on CentOS el6

argus on OSX with fink or on CentOS el6

Hello argus fans. I have added a whole ton to the NSMwiki page for argus, so check that out. In fact, throw this post away and go there. Don’t worry… it won’t hurt my feelings, as I added a whole bunch there to get new people started.

Lion related Update from Carter.


At home today, so I was happy to see that there are fink packages of both argus 3.0.2 and argus-clients 3.0.2.

At work, I’m happy to see it’s pretty easy to build argus and argus-clients from source on CentOS6.

Install argus and argus-clients via fink:

fink install argus argus-clients

or

Install argus and argus-clients by building from source on el6:

yum -y install gcc make bison libpcap libpcap-devel cyrus-sasl ncurses-devel flex mysql mysql-server mysql-devel mysql-libs
cd
wget http://qosient.com/argus/src/argus-latest.tar.gz http://qosient.com/argus/src/argus-clients-latest.tar.gz
tar zxvf argus-latest.tar.gz
cd argus-*
./configure
make && make install
cd
tar zxvf argus-clients-latest.tar.gz
cd argus-clients-*
./configure
make && make install

The ./configure script is not very verbose, and won’t die on many errors.  I had a problem with the geoip library, even when specifying the location with the ./configure argument. strace ratop showed where the ra programs expect libGeoIP.so.1. I just created a symlink.  Also, rasql* was missing due to the system not having the mysql-* packages installed during build.  I went back to the source directory, make uninstall, deleted the source directory, installed the mysql-* packages, ./configure && make && make install and the rasql* binaries were installed as intended.

bind argus to eth0 (located via ifconfig):

argus -d -i eth0 -P 561 not host [local IP address(es)]

connect ratop to the argus server:

ratop -S localhost:561

Then type :h while in ratop for help.

The default view in ratop contains:

  • Start time of…
  • Duration of…
  • State
  • Protocol
  • Source: address, port, packets, bytes
  • Destination: address, port, packets, bytes
  • Direction of state

A very important point about argus and the ra* clients:
All the ra* clients can attach to an argus data stream, from the argus process or from stdout of another ra* client. This last point might be lost on you, but is of crucial importance.
An example of connecting to an argus stream and piping non-ASCII stdout of an ra* client to an ra* client for storage of records (rasqlinsert), can be found within the post Configure argus clients to have access to country code.

You will see that accepting a read (-r) from stdin (-) allows records to be processed as you desire.

With reference:
argus: getting started

Goals:
Dump argus to sql.
Live display: Leverage a chord diagram (using a design described as circos) for three axis comparison which can be refocused (ex: src addr, dst addr, bytes)
Live display: Leverage a time line display for two axis comparison
Design SQL db so that it easily allows for reduction of data of data over time/a slower store cause by compression… utilizing age thresholds.
Report generation

Methods:
Check out visualization (and/or security visualizations)… favorites include: moowheel, jit, d3js, raphael, jquery.sparklines, and timeline.

The idea of live coding will help me gain some understanding.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: