[242] in Intrusion Detection Systems
ftp://ftp.sei.cmu.edu/pub/argus-1.5/argus-1.5.announce
daemon@ATHENA.MIT.EDU (Jim Truitt)
Sun May 21 13:03:13 1995
Date: Mon, 22 May 1995 00:00:02 +1000
To: ids@uow.edu.au
From: jtruitt@iu.net (Jim Truitt)
Reply-To: ids@uow.edu.au
Crosspost
>
> Argus 1.5
> Software Engineering Institute
> Carnegie Mellon University
> argus@sei.cmu.edu
> ftp://ftp.sei.cmu.edu/pub/argus-1.5
>
> This is to announce the availability of the public domain package, Argus,
> a generic IP network transaction auditing tool. Argus runs as an
> application level daemon, promiscuously reading network datagrams from
> a specified interface, and generates network traffic status records
> for the network activity that it encounters. Argus has been built and tested
> under SunOS 4.x, Solaris 2.3, and SGI IRIX5.2. The issue of portability has
> been principally addressed by the use of libpcap-0.0.x.
>
> Argus, enables a site to generate comprehensive network transaction
> audit logs, in a fashion that provides for high degrees of data reduction,
> and high degrees of semantic preservation. This has allowed us to perform
> extensive analysis of our network traffic, historically. The package
> includes two example programs for analyzing the network transaction audit
> logs.
>
> By processing these historical network logs, we have been able to,
> among other things:
>
> 1. Verify that our network security access control policies are
> actually being enforced and detect attempts to break through
> our firewall and host based mechanisms.
>
> 2. Perform grade of service analysis for every IP based network
> service that is offered in our network infrastructure.
>
> 3. Identify and troubleshoot difficult transient network problems such
> as intermittent service failure, denial of service attacks and
> host and network configuration problems.
>
> And by using the realtime features of Argus, we have been able to
> develop complex proactive network management tools.
>
>
> The data that Argus generates makes possible the ability to analyze
> network activity and performance in ways that have not been possible
> before. We are routinely answering questions such as:
>
> "Has anyone scanned this subnet for system vulnerabilities, such
> as that performed by SATAN?"
>
> "A new intrusion method has been discovered, has anyone tried
> to use it to attack the CERT Coordination Center's network in
> the past year?"
>
> "Did a new MUD server appear on any of the SEI machines last
> Tuesday?"
>
> "What network traffic was blocked by our router-enforced firewall?"
>
> "What is the average HTTP transaction connection time when a CMU
> host accesses MIT's WWW server?"
>
> "If we move the News server to another subnet, what other machines
> should be moved with it?"
>
> Each of these questions can be answered from the same historical network
> activity audit log.
>
>
> Comprehensive network transaction auditing can make a major impact on
> a sites network security. As we have had a great deal of success in
> using Argus to improve the network security at the Software Engineering
> Institute and CERT Coordination Center, we would like to emphasize this
> advantage of the use of Argus.
>
> We have found that comprehensive network transaction auditing can be a
> powerful network management tool, and we think that a large number
> of sites can benefit from the prototype work that we have done in this
> area. We hope that you find Argus and the support tools helpful.
>
> If you have any questions, comments or suggestions please send
> mail to argus@sei.cmu.edu.
>
>
> Again, thank you for your interest in Argus.
>
> Carter Bullard
> Software Engineering Institute
> Carnegie Mellon University
> wcb@sei.cmu.edu
>
> Chas DiFatta
> Software Engineering Institute
> Carnegie Mellon University
> chas@sei.cmu.edu
