# # Argus Software # Copyright (c) 2000-2011 QoSient, LLC # All rights reserved. # # Example argus.conf # # Argus will open this argus.conf if its installed as /etc/argus.conf. # It will also search for this file as argus.conf in directories # specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib, # or $HOME, $HOME/lib, and parse it to set common configuration # options. All values in this file can be overriden by command # line options, or other files of this format that can be read in # using the -F option. # # # Variable Syntax # # Variable assignments must be of the form: # # VARIABLE= # # with no white space between the VARIABLE and the '=' sign. # Quotes are optional for string arguements, but if you want # to embed comments, then quotes are required. # # # Variable Explanations # # The Argus can be configured to support a large number of # flow types. The Argus can provide either type, i.e. # uni-directional or bi-directional flow tracking and # the flow can be further defined by specifying the key. # The argus supports a set of well known key strategies, # such as 'CLASSIC_5_TUPLE', 'LAYER_3_MATRIX', 'LAYER_2_MATRIX', # 'MPLS', and/or 'VLAN', or the argus can be configured to # formulate key strategies from a list of the specific # objects that the Argus understands. See the man page for # a complete description. # # The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE. # ARGUS_FLOW_TYPE="Bidirectional" # For botnet-cluster is NOT commented ARGUS_FLOW_TYPE="Unidirectional" #ARGUS_FLOW_TYPE="Unidirectional" ARGUS_FLOW_KEY="CLASSIC_5_TUPLE" # Argus is capable of running as a daemon, doing all the right things # that daemons do. When this configuration is used for the system # daemon process, say for /etc/argus.conf, this variable should be # set to "yes". # # The default value is to not run as a daemon. # # This example is to support the ./support/Startup/argus script # which works when this variable be set to "yes". # # Commandline equivalent -d # #ARGUS_DAEMON=no # Argus Monitor Data is uniquely identifiable based on the source # identifier that is included in each output record. This is to # allow you to work with Argus Data from multiple monitors at the # same time. The ID is 32 bits long, and so legitimate values are # 0 - 4294967296 but argus also supports IP addresses as values. # The configuration allows for you to use host names, however, do # have some understanding how `hostname` will be resolved by the # nameserver before commiting to this strategy completely. # # For convenience, argus supports the notion of "`hostname`" for # assigning the probe's id. This is to support management of # large deployments, so you can have one argus.conf file that works # for a lot of probes. # # For security, argus does not rely on system programs, like hostname.1, # It implements the logic of hostname itself, so don't try to run # arbitrary programs using this method, because it won't work. # # Commandline equivalent -e # ARGUS_MONITOR_ID=`hostname` # Argus monitors can provide a real-time remote access port # for collecting Argus data. This is a TCP based port service and # the default port number is tcp/561, the "experimental monitor" # service. This feature is disabled by default, and can be forced # off by setting it to zero (0). # # When you do want to enable this service, 561 is a good choice, # as all ra* clients are configured to try this port by default. # # Commandline equivalent -P # ARGUS_ACCESS_PORT=561 # When remote access is enabled (see above), you can specify that Argus # should bind only to a specific IP address. This is useful, for example, # in restricting access to the local host, or binding to a private # interface while capturing from another. # # You can provide multiple addresses, separated by commas, or on multiple # lines. # # The default is to bind to any IP address. # # Commandline equivalent -B # #ARGUS_BIND_IP="::1,127.0.0.1" #ARGUS_BIND_IP="127.0.0.1" #ARGUS_BIND_IP="192.168.0.68" # By default, Argus will open the first appropriate interface on a # system that it encounters. For systems that have only one network # interface, this is a reasonable thing to do. But, when there are # more than one suitable interface, you should specify the # interface(s) Argus should use either on the command line or in this # file. # # Argus can track packets from any or all interfaces, concurrently. # The interfaces can be tracked as: # 1. independant - this is where argus tracks flows from each # interface independant from the packets seen on any other # interface. This is useful for hosts/routers that # have full-duplex interfaces, and you want to distinguish # flows based on their interface. There is an option to specify # a distinct srcid to each independant modeler. # # 2. duplex - where argus tracks packets from 2 interfaces # as if they were two half duplex streams of the same link. # Because there is a single modeler tracking the 2 # interfaces, there is a single srcid that can be passed as # an option. # # 3. bonded - where argus tracks packets from multiple interfaces # as if they were from the same stream. Because there is a # single modeler tracking the 2 interfaces, there is a single # srcid that can be passed as an option. # # Interfaces can be specified as groups using '[',']' notation, to build # flexible definitions of packet sources. However, each interface # should be referenced only once (this is due to performance and OS # limitations, so if your OS has no problem with this, go ahead). # # The lo (loopback) interface will be included only if it is specifically # indicated in the option. # # The syntax for specifying this either on the command line or in this file: # -i ind:all # -i dup:en0,en1/srcid # -i bond:en0,en1/srcid # -i dup:[bond:en0,en1],en2/srcid # -i en0/srcid -i en1/srcid (equivalent '-i ind:en0/srcid,en1/srcid') # -i en0 en1 (equivalent '-i bond:en0,en1') # -i en1(dlt)/srcid -i en1(dlt)/srcid # # In all cases, if there is a "-e srcid" provided, the srcid provided is used # as the default. If a srcid is specified using this option, it overrides # the default. # # Commandline equivalent -i # #ARGUS_INTERFACE=any #ARGUS_INTERFACE=ind:all #ARGUS_INTERFACE=ind:en0/192.168.0.68,en2/192.168.2.1 #ARGUS_INTERFACE=en0 # By default, Argus will put its interface in promiscuous mode # in order to monitor all the traffic that can be collected. # This can put an undo load on systems. # If the intent is to monitor only the network activity of # the specific system, say to measure the performance of # an HTTP service or DNS service, you'll want to turn # promiscuous mode off. # # The default value is go into prmiscuous mode. # # Commandline equivalent -p # #ARGUS_GO_PROMISCUOUS=yes # Argus supports chroot(2) in order to control the file system that # argus exists in and can access. Generally used when argus is running # with privileges, this limits the negative impacts that argus could # inflict on its host machine. # # This option will cause the output file names to be relative to this # directory, and so consider this when trying to find your output files. # # Commandline equivalent -c # #ARGUS_CHROOT_DIR=/chroot_dir # Argus can be configured to enable detailed control plane # flow monitoring for specific control plane protocols. # # This feature requires full packet capture for the monitored # interface in order to capture the complete control plane # protocol, and will have a performance impact on the sensor. # # The default is to not turn this feature on. # # Commandline equivalent -C # #ARGUS_CAPTURE_FULL_CONTROL_DATA=no # For botnet-cluster is commented ARGUS_CAPTURE_FULL_CONTROL_DATA=no ARGUS_CAPTURE_FULL_CONTROL_DATA=yes # Argus can be directed to change its user id using the setuid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive will cause argus to change its user id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -u # #ARGUS_SETUSER_ID=user # Argus can be directed to change its group id using the setgid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive can be used to change argu's group id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -g # #ARGUS_SETGROUP_ID=group # Argus can write its output to one or a number of files. # The default limit is 5 concurrent files, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_FILE=/full/path/file/name # ARGUS_OUTPUT_FILE="/full/path/file/name filter" # # Most sites will have argus write to a file, for reliablity. # The example file name is used here as supporting programs, # such as ./support/Archive/argusarchive are configured to use # this file (with any chroot'd directory prepended). # # Commandline equivalent -w # #ARGUS_OUTPUT_FILE=/var/log/argus/argus.out # Argus can push its output to one or a number of remote hosts. # The default limit is 5 concurrent output streams, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_STREAM="URI [filter]" # ARGUS_OUTPUT_STREAN="argus-udp://multicastGroup:port # ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'" # # Most sites will have argus listen() for remote sites to request argus data, # using a "pull" data model. But for some sites and applications, pushing # records without explicit registration is desired. This option will cause # argus to transmit records that match the optional filter, to the configured # targets using UDP as the transport mechanism. # # The primary purpose for this feature is to multicast argus records to # a number of listeners on an interface, but it is not limited to this # purpose. The multicast TTL is set to 128 by default, so that you can # send records some distance. # # Commandline equivalent -w argus-udp://host:port # #ARGUS_OUTPUT_STREAM=argus-udp://224.0.20.21:561 # When Argus is configured to run as a daemon, with the -d # option, Argus can store its pid in a file, to aid in # managing the running daemon. However, creating a system # pid file requires priviledges that may not be appropriate # for all cases. # # When configured to generate a pid file, if Argus cannot # create the pid file, it will fail to run. This variable # is available to override the default, in case this gets # in your way. # # The default value is to generate a pid. The default # path for the pid file, is '/var/run'. # # No Commandline equivalent # ARGUS_SET_PID=yes ARGUS_PID_PATH="/var/run" # Argus will periodically report on a flow's activity every # ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is # new activity on the flow. This is so that you can get a # multiple status reports into the activity of a flow. The # default is 5 seconds, but this number may be too low or # too high depending on your uses. Argus does suppport # a minimum value of 0.000001 seconds. Values under 1 sec # are very useful for doing measurements in a controlled # experimental environment where the number of flows is small. # # Because the status interval affects the memory utilization # of the monitor, find the minimum acceptable value is # recommended. # # Commandline equivalent -S # ARGUS_FLOW_STATUS_INTERVAL=5 # Argus will periodically report on a its own health, providing # interface status, total packet and bytes counts, packet drop # rates, and flow oriented statistics. # # These records can be used as "keep alives" for periods when # there is no network traffic to be monitored. # # The default value is 300 seconds, but a value of 60 seconds is # very common. # # Commandline equivalent -M # ARGUS_MAR_STATUS_INTERVAL=60 # Argus has a number of flow state timers that specify how long argus # will 'remember' the caches of specific flows after they have gone # idle. # # The default values have been chosen to aggresively timeout flow # caches to conserve memory utilization. Increasing values can have # an impact on argus memory use, so take care when modifying values. # # If you think there is a flow type that doesn't have appropriate # timeout support, send email to the developer's list, we'll add one # for you. # #ARGUS_IP_TIMEOUT=30 #ARGUS_TCP_TIMEOUT=60 #ARGUS_ICMP_TIMEOUT=5 #ARGUS_IGMP_TIMEOUT=30 #ARGUS_FRAG_TIMEOUT=5 #ARGUS_ARP_TIMEOUT=5 #ARGUS_OTHER_TIMEOUT=30 # If compiled to support this option, Argus is capable of # generating a lot of debug information. # # The default value is zero (0). # # Commandline equivalent -D # ARGUS_DEBUG_LEVEL=0 # Argus can be configured to report on flows in a manner than # provides the best information for calculating application # reponse times and network round trip times. # # The default value is to not generate this data. # # Commandline equivalent -R # # for botnet-clusterer it was no ARGUS_GENERATE_RESPONSE_TIME_DATA=no #ARGUS_GENERATE_RESPONSE_TIME_DATA=yes ARGUS_GENERATE_RESPONSE_TIME_DATA=yes # Argus can be configured to generate packet size information # on a per flow basis, which provides the max and min packet # size seen . The default value is to not generate this data. # # Commandline equivalent -Z # ARGUS_GENERATE_PACKET_SIZE=yes # Argus can be configured to generate packet jitter information # on a per flow basis. The default value is to not generate # this data. # # Commandline equivalent -J # # for botnet-cluster it was no ARGUS_GENERATE_JITTER_DATA=no #ARGUS_GENERATE_JITTER_DATA=yes ARGUS_GENERATE_JITTER_DATA=yes # Argus can be configured to provide MAC addresses in # it audit data. The default value is to not generate # this data. # # Commandline equivalent -m # ARGUS_GENERATE_MAC_DATA=yes # Argus can be configured to generate metrics that include # the application byte counts as well as the packet count # and byte counters. # # Commandline equivalent -A # ARGUS_GENERATE_APPBYTE_METRIC=yes # Argus by default, generates extended metrics for TCP # that include the connection setup time, window sizes, # base sequence numbers, and retransmission counters. # You can suppress this detailed information using this # variable. # # No commandline equivalent # # for botnet-clusterer was commented ARGUS_GENERATE_TCP_PERF_METRIC=yes #ARGUS_GENERATE_TCP_PERF_METRIC=yes ARGUS_GENERATE_TCP_PERF_METRIC=yes # Argus by default, generates a single pair of timestamps, # for the first and last packet seen on a given flow, during # the obseration period. For bi-directional flows, this # results in loss of some information. By setting this # variable to 'yes', argus will store start and ending # timestamps for both directions of the flow. # # No commandline equivalent # ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=yes # Argus can be configured to capture a number of user data # bytes from the packet stream. # # The default value is to not generate this data. # # Commandline equivalent -U # ARGUS_CAPTURE_DATA_LEN=64 # Argus uses the packet filter capabilities of libpcap. If # there is a need to not use the libpcap filter optimizer, # you can turn it off here. The default is to leave it on. # # Commandline equivalent -O # #ARGUS_FILTER_OPTIMIZER=yes # You can provide a filter expression here, if you like. # It should be limited to 2K in length. The default is to # not filter. # # The commandline filter will override this filter expression. # #ARGUS_FILTER="" # Argus allows you to capture packets in tcpdump() format # if the source of the packets is a tcpdump() formatted # file or live packet source. # # Specify the path to the packet capture file here. # #ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out" # Argus supports the use of SASL to provide strong # authentication and confidentiality protection. # # The policy that argus uses is controlled through # the use of a minimum and maximum allowable protection # strength. Set these variable to control this policy. # #ARGUS_MIN_SSF=40 #ARGUS_MAX_SSF=128 # Argus supports setting environment variables to enable # functions required by the kernel or shared libraries. # This feature is intended to support libraries such as # the net pf_ring support for libpcap as supported by # code at http://public.lanl.gov/cpw/ # # Setting environment variables in this way does not affect # internal argus variable in any way. As a result, you # can't set ARGUS_PATH using this feature. # # Care should must be taken to assure that the value given # the variable conform's to your systems putenv.3 system call. # You can have as many of these directives as you like. # # The example below is intended to set a libpcap ring buffer # length to 300MB, if your system supports this feature. # #ARGUS_ENV="PCAP_MEMORY=300000" # Argus can be configured to discover tunneling protocols # above the UDP transport header, specifically Teredo # (IPv6 over UDP). The algorithm is simple and so, having # this on by default may generate false tunnel matching. # The default is to not turn this feature on. #ARGUS_TUNNEL_DISCOVERY="no" # Argus can be configured to be self synchronizing with other # argi. This involves using state from packets contents to # synchronize the flow reporting. # #ARGUS_SELF_SYNCHRONIZE=yes # Argus supports the generation of host originated processes # to gather additional data and statistics. These include # periodic processes to poll for SNMP data, as an example, or # to collect host statistics through reading procfs(). Or # single run programs that run at a specified time. # # These argus events, are generated from the complete list of # ARGUS_EVENT_DATA directives that are specified here. # # The syntax is: # Syntax is: "method:path|prog:interval[:postproc]" # Where: method = [ "file" | "prog" ] # pathname | program = "%s" # interval = %d[smhd] [ zero means run once ] # postproc = [ "compress" | "compress2" ] # #ARGUS_EVENT_DATA="prog:/usr/local/bin/ravms:20s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/rasnmp:1m:compress" #ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress" #ARGUS_EVENT_DATA="prog:/usr/bin/uptime:30s" #ARGUS_EVENT_DATA="prog:/usr/local/bin/ralsof:30s:compress" # This version of Argus supports keystroke detection and counting for # TCP connections, with specific algoritmic support for SSH connections. # # The ARGUS_KEYSTROKE variable turns the feature on. Values for # this variable are: # ARGUS_KEYSTROKE="yes" - turn on TCP flow tracking # ARGUS_KEYSTROKE="tcp" - turn on TCP flow tracking # ARGUS_KEYSTROKE="ssh" - turn on SSH specific flow tracking # ARGUS_KEYSTROKE="no" [default] # # The algorithm uses a number of variables, all of which can be # modifed using the ARGUS_KEYSTROKE_CONF descriptor, which is a # semicolon (';') separated set of variable assignments. Here is # the list of supported variables: # # DC_MIN - (int) Minimum client datagram payload size in bytes # DC_MAX - (int) Maximum client datagram payload size in bytes # GS_MAX - (int) Maximum server packet gap # DS_MIN - (int) Minimum server datagram payload size in bytes # DS_MAX - (int) Maximum server datagram payload size in bytes # IC_MIN - (int) Minimum client interpacket arrival time (microseconds) # LCS_MAX - (int) Maximum something - Not sure what this is # GPC_MAX - (int) Maximum client packet gap # ICR_MIN - (float) Minimum client/server interpacket arrival ratio # ICR_MAX - (float) Maximum client/server interpacket arrival ratio # # All variables have default values, this variable is used to override # those values. The syntax for the variable is: # # botnet-clusterer was commentd ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20" ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20" # #botnet-clusterer was no ARGUS_KEYSTROKE="no" #ARGUS_KEYSTROKE="ssh" ARGUS_KEYSTROKE="no" #ARGUS_KEYSTROKE_CONF=""