1 / 5

Logging Methods

Logging Methods. Argus – QoSient, LLC – Carter Bullard <http://www.qosient.com/argus> OpenSource effort and proprietary version Same flow model, performance and scaling Origin/History: Early 1990’s Work at CERT Guerilla work until startup in 1999 Continued analysis/experimentation at CMU

zander
Download Presentation

Logging Methods

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Logging Methods • Argus – QoSient, LLC – Carter Bullard • <http://www.qosient.com/argus> • OpenSource effort and proprietary version • Same flow model, performance and scaling • Origin/History: • Early 1990’s Work at CERT • Guerilla work until startup in 1999 • Continued analysis/experimentation at CMU • Validation, IDS, web logging (FlowScan-style)

  2. Argus • Applications – audit • Edge Traffic Characterization • Security • Anonymized research data (use analysis) • Traffic accounting • Service/Policy Discovery • who/how/how much • Unexpected service delivery? • QoS validation • Internet Call records • Who talks to whom – not what’s said • Contrast to Carnivore

  3. Advantages Authoritative Transaction flow aggregation Strong flow model/semantic TCP window delta/retrans ICMP aggregation Accurate timestamps TCPdump selection syntax Scalable – multiple probes Flexible – put probe anywhere Subnet/switch/host Limited access to user data Higher level tools for analysis/indexing Disadvantages Technology, no sexy apps Limited documentation Probe Architecture Vs switches, IPSEC, etc Scaling factors DoS vulnerability Argus Flow Logs

  4. Argus • Quick Demo

  5. Interesting Questions • Aggregate transaction analysis • Web trans frames smtp spam • Probes followed by specific connections • Application fingerprinting • Regardless of port • Network service Provision • End2End or Edge2Ether • Ask for a service, not a connection

More Related