Provided by: argus-server_2.0.6.fixes.1-16.3ubuntu1_amd64 bug

NAME

       argus - audit record generation and utilization system

SYNOPSIS

       argus [ options ] [ filter expression ]

COPYRIGHT

       Copyright (c) 2000-2004 QoSient, LLC All rights reserved.

DESCRIPTION

       Argus  is  an  IP  transaction  auditing  tool that categorizes IP packets which match the
       boolean expression into a protocol-specific network transaction model.  Argus  reports  on
       the transactions that it discovers, as they occur.

       Designed  to  run  as  a  daemon,  argus  generally  reads packets directly from a network
       interface, and writes the transaction status information to a  log  file  or  open  socket
       connected to an argus client (such as ra(1)).  Argus can also read packet information from
       tcpdump(1) , snoop(1) or NLANR's Moat Time Sequence Header raw packet  files.   Argus  can
       also be configured to write its transaction logs to stdout.

       Argus  provides  access  control  for  its  socket  connection  facility using tcp_wrapper
       technology.  Please refer to the tcp_wrapper distribution for a complete description.

OPTIONS

       -b   Dump the compiled packet-matching code to stdout and stop.  This  is  used  to  debug
            filter expressions.

       -B   Only  bind  to  the specified IP address (remote access must be enabled by a non-zero
            port).

       -c   Generate system pid file.  This will cause argus to create a pid  file  that  can  be
            used  to  control  the  number  of  argi  running  on a system.  The default pid file
            directory is /var/run, and $ARGUSHOME, when the OS does not suppor /var/run.

       -d   Run argus as a daemon.  This will cause argus to do the things that Unix  daemons  do
            and return, if there were no errors, with argus running as a detached process.

       -D   <level>  Print debug messages to stderr.  The higher the <level> the more information
            printed.  Acceptable levels are 1-8.

       -e   <value> Specify the source identifier for this argus.  Acceptable values are numbers,
            hostnames or ip address.

       -h   Print an explanation of all the arguments.

       -F   Use  conffile  as  a  source  of configuration information.  Options set in this file
            override any other specification, and so this is the last word on option values.

       -I   <number> Specify the <number>  of  instances  that  are  concurrently  allowed.   The
            default is 1.  This is impacts the pid file strategy for argus.

       -i   <interface>  Specify  the physical network <interface> to be audited.  The default is
            the first network interface that is up and running.

       -J   Generate packet peformance data in each audit record.

       -M   <secs> Specify the interval in <secs> of argus status  records.   These  records  are
            used to report the internal status of argus itself.  The default is 300 seconds.

       -m   Don't provide MAC addresses information in argus records.

       -n   <directory>  Specify  the  pid  file directory.  This overrides the default directory
            location, which is /var/run, or $ARGUSHOME if /var/run is not available.  This switch
            implies the -c switch.

       -O   Turn off Berkeley Packet Filter optimizer.  No reason to do this unless you think the
            optimizer generates bad code.

       -p   Do not set the physical network interface in promiscuous mode.  If the  interface  is
            already  in  promiscuous mode, this option may have no effect.  Do this to audit only
            the traffic coming to and from the system argus is running on.

       -P   <portnum> Specifies the <portnum> for remote client connection.  The  default  is  to
            not support remote access.  Setting the value to zero (0) will forceably turn off the
            facility.

       -r   Read from tcpdump(1) , snoop(1) or NLANR's Moat Time  Sequence  Header  (tsh)  packet
            capture  files.   If the packet capture file is a tsh format file, then the -t option
            must also be used.  Argus will read from only one input packet file at  a  time.   If
            the  -r  option  is  specified, argus will not put down a listen(2) to support remote
            access.

       -R   Generate argus records such that response times can be derived from transaction data.

       -S   <secs> Specify the status reporting interval in <secs> for all traffic flows.

       -t   Indicate that the expected packet capture input file is a NLANR's Moat Time  Sequence
            Header (tsh) packet capture file.

       -U   Specify the number of user bytes to capture.

       -w   <file  ["filter"] Write transaction status records to output-file.  An output-file of
            '-' directs argus to write the resulting argus-file output to stdout.

       -X   Clear existing argus configuration.  This removes any initialization  done  prior  to
            encountering  this  flag.  Allows you to eliminate the effects of the /etc/argus.conf
            file, or any argus.conf files that may have been loaded.

       expression
            This tcpdump(1) expression specifies which transactions  will  be  selected.   If  no
            expression is given, all transactions are selected.  Otherwise, only transactions for
            which expression is  `true'  will  be  dumped.   For  a  complete  expression  format
            description, please refer to the tcpdump(1) man page.

SIGNALS

       Argus catches a number of signal(3) events.  The three signals SIGHUP, SIGINT, and SIGTERM
       cause  argus  to  exit,  writing  TIMEDOUT  status  records  for  all   currently   active
       transactions.   The  signal  SIGUSR1  will turn on debug reporting, and subsequent SIGUSR1
       signals, will increment the debug-level. The signal SIGUSR2 will cause argus to  turn  off
       all debug reporting.

ENVIRONMENT

       $ARGUSHOME - Argus Root directory

FILES

       /etc/argus.conf        - argus daemon configuration file
       /var/run/argus_os.pid  - default PID file nameing convention

EXAMPLES

       Run argus as a daemon, writing all its transaction status reports to output-file.  This is
       the typical mode.
              argus -d -e `hostname` -w output-file

       If ICMP traffic is not of interest to you, you can filter out ICMP packets on input.
              argus -w output-file - ip and not icmp

       Argus supports both input filtering and output  filtering,  and  argus  supports  multiple
       output streams, each with their own independant filters.

       If  you  are interested in tracking IP traffic only (input filter) and want to report ICMP
       traffic in one output file, and all other IP traffic in another file.
              argus -w outfile1 "icmp" -w outfile2 "not icmp" - ip

       Audit the network activity that is flowing between the two gateway routers, whose ethernet
       addresses are 00:08:03:2D:42:01 and 00:00:0C:18:29:F1.  Without specifying an output-file,
       it is assumed that the transaction status reports will be written to a remote client.   In
       this case we have changed the port that the remote client will use to port 430/tcp.
              argus -P 430 ether host (0:8:3:2d:42:1 and 0:0:c:18:29:f1) &

       Audit  each  individual  ICMP  ECHO transaction.  You would do this gather Round Trip Time
       data within your network.  Write the output to output-file.
              argus -R -w output-file "echo" - icmp

       Audit all NFS transactions involving the server  fileserver  and  increase  the  reporting
       interval  to  3600  seconds (to provide high data reduction).  Write the output to output-
       file.
              argus -S 3600 -w output-file udp and port 2049 &

AUTHORS

       Carter Bullard (carter@qosient.com)

SEE ALSO

       argus.conf(5), hosts_access(5), hosts_options(5), tcpd(8), tcpdump(1)

                                         10 November 2000                                ARGUS(8)