trusty (8) argus_linux.8.gz

Provided by: argus-server_2.0.6.fixes.1-16.3_amd64 bug

NAME
       argus - audit record generation and utilization system


SYNOPSIS
       argus [ options ] [ filter expression ]


       Copyright (c) 2000-2004 QoSient, LLC All rights reserved.


DESCRIPTION
       Argus  is  an IP transaction auditing tool that categorizes IP packets which match the boolean expression
       into a protocol-specific network transaction model.  Argus reports on the transactions that it discovers,
       as they occur.

       Designed  to run as a daemon, argus generally reads packets directly from a network interface, and writes
       the transaction status information to a log file or open socket connected to an  argus  client  (such  as
       ra(1)).   Argus can also read packet information from tcpdump(1) , snoop(1) or NLANR's Moat Time Sequence
       Header raw packet files.  Argus can also be configured to write its transaction logs to stdout.

       Argus provides access control for its socket connection facility using  tcp_wrapper  technology.   Please
       refer to the tcp_wrapper distribution for a complete description.


OPTIONS
       -b   Dump  the  compiled  packet-matching  code  to  stdout  and  stop.   This  is  used  to debug filter
            expressions.

       -B   Only bind to the specified IP address (remote access must be enabled by a non-zero port).

       -c   Generate system pid file.  This will cause argus to create a pid file that can be  used  to  control
            the number of argi running on a system.  The default pid file directory is /var/run, and $ARGUSHOME,
            when the OS does not suppor /var/run.

       -d   Run argus as a daemon.  This will cause argus to do the things that Unix daemons do and  return,  if
            there were no errors, with argus running as a detached process.

       -D   <level>  Print  debug  messages  to  stderr.   The  higher the <level> the more information printed.
            Acceptable levels are 1-8.

       -e   <value> Specify the source identifier for this argus.  Acceptable values are numbers,  hostnames  or
            ip address.

       -h   Print an explanation of all the arguments.

       -F   Use  conffile as a source of configuration information.  Options set in this file override any other
            specification, and so this is the last word on option values.

       -I   <number> Specify the <number> of instances that are concurrently allowed.  The default is  1.   This
            is impacts the pid file strategy for argus.

       -i   <interface>  Specify  the  physical  network  <interface>  to  be audited.  The default is the first
            network interface that is up and running.

       -J   Generate packet peformance data in each audit record.

       -M   <secs> Specify the interval in <secs> of argus status records.  These records are used to report the
            internal status of argus itself.  The default is 300 seconds.

       -m   Don't provide MAC addresses information in argus records.

       -n   <directory> Specify the pid file directory.  This overrides the default directory location, which is
            /var/run, or $ARGUSHOME if /var/run is not available.  This switch implies the -c switch.

       -O   Turn off Berkeley Packet Filter optimizer.  No reason to do this  unless  you  think  the  optimizer
            generates bad code.

       -p   Do  not  set  the  physical  network  interface in promiscuous mode.  If the interface is already in
            promiscuous mode, this option may have no effect.  Do this to audit only the traffic coming  to  and
            from the system argus is running on.

       -P   <portnum>  Specifies  the  <portnum>  for  remote  client connection.  The default is to not support
            remote access.  Setting the value to zero (0) will forceably turn off the facility.

       -r   Read from tcpdump(1) , snoop(1) or NLANR's Moat Time Sequence Header (tsh) packet capture files.  If
            the packet capture file is a tsh format file, then the -t option must also be used.  Argus will read
            from only one input packet file at a time.  If the -r option is specified, argus will not put down a
            listen(2) to support remote access.

       -R   Generate argus records such that response times can be derived from transaction data.

       -S   <secs> Specify the status reporting interval in <secs> for all traffic flows.

       -t   Indicate  that  the  expected packet capture input file is a NLANR's Moat Time Sequence Header (tsh)
            packet capture file.

       -U   Specify the number of user bytes to capture.

       -w   <file ["filter"] Write transaction status records to output-file.  An  output-file  of  '-'  directs
            argus to write the resulting argus-file output to stdout.

       -X   Clear existing argus configuration.  This removes any initialization done prior to encountering this
            flag.  Allows you to eliminate the effects of the /etc/argus.conf file, or any argus.conf files that
            may have been loaded.

       expression
            This  tcpdump(1)  expression  specifies  which  transactions  will be selected.  If no expression is
            given, all transactions are selected.  Otherwise, only transactions for which expression  is  `true'
            will  be  dumped.   For a complete expression format description, please refer to the tcpdump(1) man
            page.


SIGNALS
       Argus catches a number of signal(3) events.  The three signals SIGHUP, SIGINT, and SIGTERM cause argus to
       exit,  writing  TIMEDOUT  status  records for all currently active transactions.  The signal SIGUSR1 will
       turn on debug reporting, and subsequent SIGUSR1 signals,  will  increment  the  debug-level.  The  signal
       SIGUSR2 will cause argus to turn off all debug reporting.


ENVIRONMENT
       $ARGUSHOME - Argus Root directory


FILES
       /etc/argus.conf        - argus daemon configuration file
       /var/run/argus_os.pid  - default PID file nameing convention


EXAMPLES
       Run  argus  as  a daemon, writing all its transaction status reports to output-file.  This is the typical
       mode.
              argus -d -e `hostname` -w output-file

       If ICMP traffic is not of interest to you, you can filter out ICMP packets on input.
              argus -w output-file - ip and not icmp

       Argus supports both input filtering and output filtering, and argus  supports  multiple  output  streams,
       each with their own independant filters.

       If  you  are interested in tracking IP traffic only (input filter) and want to report ICMP traffic in one
       output file, and all other IP traffic in another file.
              argus -w outfile1 "icmp" -w outfile2 "not icmp" - ip

       Audit the network activity that is flowing between the two gateway routers, whose ethernet addresses  are
       00:08:03:2D:42:01  and  00:00:0C:18:29:F1.   Without  specifying  an  output-file, it is assumed that the
       transaction status reports will be written to a remote client.  In this case we  have  changed  the  port
       that the remote client will use to port 430/tcp.
              argus -P 430 ether host (0:8:3:2d:42:1 and 0:0:c:18:29:f1) &

       Audit  each  individual ICMP ECHO transaction.  You would do this gather Round Trip Time data within your
       network.  Write the output to output-file.
              argus -R -w output-file "echo" - icmp

       Audit all NFS transactions involving the server fileserver and increase the reporting  interval  to  3600
       seconds (to provide high data reduction).  Write the output to output-file.
              argus -S 3600 -w output-file udp and port 2049 &


AUTHORS
       Carter Bullard (carter@qosient.com)


SEE ALSO
       argus.conf(5), hosts_access(5), hosts_options(5), tcpd(8), tcpdump(1)

                                                10 November 2000                                        ARGUS(8)