Provided by: argus-server_3.0.8.2-2.1_amd64 bug


       argus.conf - argus resource file.




       Copyright (c) 2000-2015 QoSient, LLC   All rights reserved.


       This  is  the  canonical argus configuration file.  All options that argus supports can be
       turned on or modified using this configuration format.  Argus will  search  for  a  system
       /etc/argus.conf  file  and will open it and use it to seed all configuration options.conf.
       Previous versions of Argus supported searching for argus.conf in  $ARGUSPATH,  $ARGUSHOME,
       $ARGUSHOME/lib,  $HOME, and $HOME/lib, but this support is deprecated.  All values in this
       file can be overriden by command line options, or other configuration files of this format
       when specified in using the -F option.

       Argus  will  read  any number of configuration files using the -F option, and command-line
       order is very important.

Variable Syntax

       Variable assignments must be of the form:
       with no white space between the VARIABLE and the '=' sign.  Quotes are optional for string
       arguments, but if you want to embed comments, then quotes are required.


       The  Argus  can  be  configured  to  support  a large number of flow types.  The Argus can
       provide either type, i.e.  uni-directional or bi-directional flow tracking  and  the  flow
       can  be further defined by specifying the key.  The argus supports a set of well known key
       strategies, such as 'CLASSIC_5_TUPLE', 'LAYER_3_MATRIX', 'LAYER_2_MATRIX', ┬┤MPLS',  and/or
       'VLAN',  or  the  argus  can  be configured to formulate key strategies from a list of the
       specific objects that the Argus understands.  See the man page for a complete description.

       The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE.

       There is no commandline equivalent.



       Argus is capable of running as a daemon, doing all the right things that daemons do.  When
       this  configuration  is  used for the system daemon process, say for /etc/argus.conf, this
       variable should be set to "yes".

       In the examples seen in the ./support/Startup/argus scripts, this value is set  to  "yes",
       as  the  system startup strategy requires the program to daemonize themselves, returning a
       value to the system, hopefully quickly.  Some systems,  however,  want  to  daemonize  the
       tasks themselves, and those cases, the value must be set to "no".

       which requires that this variable be set to "yes".

       The default value is to not run as a daemon.

       Commandline equivalent  -d



       Argus  Monitor  Data  is  uniquely  identifiable  based  on  the source identifier that is
       included in each output record.  This is to  allow  you  to  work  with  Argus  Data  from
       multiple monitors at the same time.  The ID is 32 bits long, and argus suppors a number of
       formats as legitimate values. Argus support unsigned ints,  IPv4  addresses  and  4  bytes
       strings, as values.

       The  formats  are discerned from the values provided.  Double-quoted values are treated as
       strings, and are truncated to 4 characters.  Non-quoted values are tested for whether they
       are hostnames, and if not, then they are tested wheter they are numbers.

       The  configuration  allows  for you to use host names, however, do have some understanding
       how `hostname` will be resolved by  the  nameserver  before  commiting  to  this  strategy

       For  convenience,  argus supports the notion of "`hostname`" for assigning the probe's id.
       This is to support management of large deployments, so you can have  one  argus.conf  file
       that works for a lot of probes.

       For  security, argus does not rely on system programs, like hostname.1.  It implements the
       logic of hostname itself, so don't try  to  run  arbitrary  programs  using  this  method,
       because it won't work.

       Commandline equivalent   -e

       ARGUS_MONITOR_ID=`hostname`    // IPv4 address returned
       ARGUS_MONITOR_ID=     // IPv4 address
       ARGUS_MONITOR_ID=2435          // Number
       ARGUS_MONITOR_ID="en0"         // String


       Argus monitors can provide a real-time remote access port for collecting Argus data.  This
       is a TCP based port service and the default port  number  is  tcp/561,  the  "experimental
       monitor"  service.   This feature is disabled by default, and can be forced off by setting
       it to zero (0).

       When you do want to enable this service, 561 is a good choice,  as  all  ra*  clients  are
       configured to try this port by default.

       Commandline equivalent  -P



       When  remote access is enabled (see above), you can specify that Argus should bind only to
       a specific IP address. This is useful, for example, in restricting  access  to  the  local
       host, or binding to a private interface while capturing from another.

       You can provide multiple addresses, separated by commas, or on multiple lines.

       The default is to bind to any IP address.

       Commandline equivalent  -B



       By  default,  Argus  will  open  the  first  appropriate  interface  on  a  system that it
       encounters.  For systems that have only one network interface, this is a reasonable  thing
       to  do.   But,  when  there  are  more than one suitable interface, you should specify the
       interface(s) Argus should use either on the command line or in this file.

       Argus can track packets from any or all interfaces, concurrently.  The interfaces  can  be
       tracked as:
         1.  independant - this is where argus tracks flows from each
                interface independant from the packets seen on any other
                interface.  This is useful for hosts/routers that
                have full-duplex interfaces, and you want to distinguish
                flows based on their interface. There is an option to specify
                a distinct srcid to each independant modeler.

         2.  duplex - where argus tracks packets from 2 interfaces
                as if they were two half duplex streams of the same link.
                Because there is a single modeler tracking the 2
                interfaces, there is a single srcid that can be passed as
                an option.

         3.  bonded - where argus tracks packets from multiple interfaces
                as if they were from the same stream.  Because there is a
                single modeler tracking the 2 interfaces, there is a single
                srcid that can be passed as an option.

        Interfaces can be specified as groups using '[',']' notation, to build
        flexible definitions of packet sources.  However, each interface
        should be referenced only once (this is due to performance and OS
        limitations, so if your OS has no problem with this, go ahead).

        The lo (loopback) interface will be included only if it is specifically
        indicated in the option.

        The syntax for specifying this either on the command line or in this file:
           -i ind:all
           -i dup:en0,en1/srcid
           -i bond:en0,en1/srcid
           -i dup:[bond:en0,en1],en2/srcid
           -i en0/srcid -i en1/srcid  (equivalent '-i ind:en0/srcid,en1/srcid')
           -i en0 en1     (equivalent '-i bond:en0,en1')

        In all cases, if there is a "-e srcid" provided, this is used as the
        default.  If a srcid is specified using this option, it overrides
        the default.

        Srcid's are specified using the notion used for ARGUS_MONITOR_ID, as above.

       Commandline equivalent   -i



       By  default,  Argus will put its interface in promiscuous mode in order to monitor all the
       traffic that can be collected.  This can put an undo load on systems.

       If the intent is to monitor only the network activity  of  the  specific  system,  say  to
       measure the performance of an HTTP service or DNS service, you'll want to turn promiscuous
       mode off.

       The default value goes into prmiscuous mode.

       Commandline equivalent  -p



       Argus supports chroot(2) in order to control the file system that argus exists in and  can
       access.   Generally  used  when argus is running with privileges, this limits the negative
       impacts that argus could inflict on its host machine.

       This option will cause the output file names to be relative  to  this  directory,  and  so
       consider this when trying to find your output files.

       Commandline equivalent   -c dir



       Argus  can  be directed to change its user id using the setuid() system call.  This is can
       used when argus is started as root, in order to  access  privileged  resources,  but  then
       after  the  resources  are  opened,  this directive will cause argus to change its user id
       value to a 'lesser' capable account.  Recommended when argus is running as daemon.

       Commandline equivalent   -u user



       Argus can be directed to change its group id using the setgid() system call.  This is  can
       used  when  argus  is  started  as root, in order to access privileged resources, but then
       after the resources are opened, this directive can be used to change argu's group id value
       to a 'lesser' capable account.  Recommended when argus is running as daemon.

       Commandline equivalent   -g group



       Argus  can  write  its  output  to one or a number of files, default limit is 5 concurrent
       files, each with their own independant filters.

       The format is:
            ARGUS_OUTPUT_FILE=/full/path/file/name "filter"

       Most sites will have argus write to a file, for reliablity and performance.   The  example
       file  name is used here as supporting programs, such as ./support/Archive/argusarchive are
       configured to use this file.

       Commandline equivalent  -w



       Argus can write its output to one or a number of remote hosts.  The  default  limit  is  5
       concurrent output streams, each with their own independant filters.

       The format is:
            ARGUS_OUTPUT_STREAM="URI [filter]"
            ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'"

       Most  sites  will have argus listen() for remote sites to request argus data, but for some
       sites and applications sending records without registration is desired.  This option  will
       cause  argus to transmit records that match the optional filter, to the configured targets
       using UDP as the transport mechanism.

       Commandline equivalent   -w argus-udp://host:port



       When Argus is configured to run as a daemon, with the -d option, Argus can store  its  pid
       in  a  file,  to  aid in managing the running daemon.  However, creating a system pid file
       requires privileges that may not be appropriate for all cases.

       When configured to generate a pid file, if Argus cannot create the pid file, it will  fail
       to  run.  This variable, and the directory the pid is written to, is available to override
       the default, in case this gets in your way.

       The default value is to generate a pid.  The default path for the pid file, is '/var/run'.

       No Commandline equivalent



       Argus will periodically report  on  a  flow's  activity  every  ARGUS_FLOW_STATUS_INTERVAL
       seconds, as long as there is new activity on the flow.  This is so that you can get a view
       into the activity of very long lived flows.  The default is 60 seconds,  but  this  number
       may be too low or too high depending on your uses.

       The  default  value  is  60 seconds, but argus does support a minimum value of 1.  This is
       very useful for doing measurements in a  controlled  experimental  environment  where  the
       number of flows is < 1000.

       Commandline equivalent  -S



       Argus  will  periodically  report  on  a its own health, providing interface status, total
       packet and bytes counts, packet drop rates, and flow oriented statistics.

       These records can be used as "keep alives" for periods when there is no network traffic to
       be monitored.

       The default value is 300 seconds, but a value of 60 seconds is very common.

       Commandline equivalent  -M



       If  compiled  to  support  this  option,  Argus  is  capable  of generating a lot of debug

       The default value is zero (0).

       Commandline equivalent  -D



       Argus can be configured to generate packet size information on a  per  flow  basis,  which
       provides  the  max  and  min packet size seen .  The default value is to not generate this

       Commandline equivalent   -Z



       Argus can be configured to generate packet jitter information on a per  flow  basis.   The
       default value is to not generate this data.

       Commandline equivalent  -J



       Argus  can be configured to not provide MAC addresses in it audit data.  This is available
       if MAC address tracking and audit is not a requirement.

       The default value is to not generate this data.

       Commandline equivalent  -m



       Argus can be configured to generate metrics that include the application  byte  counts  as
       well as the packet count and byte counters.

       Commandline equivalent  -A



       Argus  by  default,  generates  extended metrics for TCP that include the connection setup
       time, window sizes, base sequence numbers, and retransmission counters.  You can  suppress
       this detailed information using this variable.

       No commandline equivalent



       Argus  by  default,  generates  a single pair of timestamps, for the first and last packet
       seen on a given flow, during  the  obseration  period.   For  bi-directional  flows,  this
       results  in loss of some information.  By setting this variable to 'yes', argus will store
       start and ending timestamps for both directions of the flow.

       No commandline equivalent



       Argus can be configured to capture a number of user data bytes from the packet stream.

       The default value is to not generate this data.

       Commandline equivalent  -U



       Argus uses the packet filter capabilities of libpcap.  If there is a need to not  use  the
       libpcap filter optimizer, you can turn it off here.  The default is to leave it on.

       Commandline equivalent  -O



       You  can  provide  a  filter  expression here, if you like.  It should be limited to 2K in
       length.  The default is to not filter.

       No Commandline equivalent



       Argus allows you to capture packets in tcpdump() format if the source of the packets is  a
       tcpdump() formatted file or live packet source.

       Specify the path to the packet capture file here.



       Argus  supports  the  use  of  SASL  to  provide strong authentication and confidentiality

       The policy that argus uses is  controlled  through  the  use  of  a  minimum  and  maximum
       allowable  protection  strength,  which is standard for SASL based appliations.  Set these
       variable to control this policy.  The default is no security policy.



       Argus supports setting the pcap buffer size.  You can use the abbreviations  K,  M,  G  to
       specify thousands, millions or billions of bytes.



       Argus supports setting environment variables to enable functions required by the kernel or
       shared libraries.  This feature is intended to support libraries such as the  net  pf_ring
       support for libpcap as supported by code at

       Setting  environment  variables in this way does not affect internal argus variable in any
       way. As a result, you can't set ARGUS_PATH using this feature.

       Care should must be taken to assure that the value given the variable  conform's  to  your
       systems putenv.3 system call.  You can have as many of these directives as you like.

       The example below is intended to set a libpcap ring buffer length to 300MB, if your system
       supports this feature.



       Argus can be configured to discover tunneling protocols above the  UDP  transport  header,
       specifically  Teredo  (IPv6  over UDP).  The algorithm is simple and so, having this on by
       default may generate false tunnel matching.

       The default is to not turn this feature on.



       Argus supports the generation of host originated processes to gather additional  data  and
       statistics.   These include periodic processes to poll for SNMP data, as an example, or to
       collect host statistics through reading procfs().  Or single run programs that  run  at  a
       specified time.

       These  argus  events,  are generated from the complete list of ARGUS_EVENT_DATA directives
       that are specified here.

       The syntax is:
            Syntax is: "method:path|prog:interval[:postproc]"
                Where:  method = [ "file" | "prog" ]
                      pathname | program = "%s"
                      interval = %d[smhd] [ zero means run once ]
                      postproc = [ "compress" | "compress2" ]



       This version of Argus supports keystroke detection and counting for TCP connections,  with
       specific algorithmic support for SSH connections.

       The ARGUS_KEYSTROKE variable turns the feature on. Values for this variable are:
             ARGUS_KEYSTROKE="yes" - turn on TCP flow tracking
             ARGUS_KEYSTROKE="tcp" - turn on TCP flow tracking
             ARGUS_KEYSTROKE="ssh" - turn on SSH specific flow tracking
             ARGUS_KEYSTROKE="no"    [default]

       The  algorithm  uses  a  number  of  variables,  all  of  which  can  be modifed using the
       ARGUS_KEYSTROKE_CONF descriptor, which is a semicolon  (';')  separated  set  of  variable
       assignments.  Here is the list of supported variables:
         DC_MIN  -   (int) Minimum client datagram payload size in bytes
         DC_MAX  -   (int) Maximum client datagram payload size in bytes
         GS_MAX  -   (int) Maximum server packet gap
         DS_MIN  -   (int) Minimum server datagram payload size in bytes
         DS_MAX  -   (int) Maximum server datagram payload size in bytes
         IC_MIN  -   (int) Minimum client interpacket arrival time (microseconds)
         LCS_MAX -   (int) Maximum something - Not sure what this is
         GPC_MAX -   (int) Maximum client packet gap
         ICR_MIN - (float) Minimum client/server interpacket arrival ratio
         ICR_MAX - (float) Maximum client/server interpacket arrival ratio

       All  variables  have  default values, this variable is used to override those values.  The
       syntax for the variable is: