Viewing Argus

110 views
Skip to first unread message

Sabbo

unread,
Mar 21, 2016, 3:34:30 PM3/21/16
to security-onion
Hi Guys,

How do you view the data in Argus? I couldnt find a way to do it from an interface and i was also wondering what external tools can open the logfile located at:


/nsm/sensor_data/sensorname-eth1/argus

Wes

unread,
Mar 21, 2016, 4:21:34 PM3/21/16
to security-onion

Sabbo,

I generally run Best Practices, so I've not much experience with Argus, but I believe Argus is saved to disk and queried by an argus client or a similar, capable tool:

http://qosient.com/argus/ra.core.examples.shtml

Is there any reason you do not want to view this information using Bro/ELSA? Bro's conn.log already provides similar session data.
(https://github.com/Security-Onion-Solutions/security-onion/wiki/Best-Practices)

You could also try taking a look at the following:

http://nsmwiki.org/Argus
https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
https://groups.google.com/forum/#!searchin/security-onion/argus$20bro$20conn.log/security-onion/NfKMYqcMgYs/Vg4pB1BCumIJ

Thanks,
Wes

Kevin Branch

unread,
Mar 21, 2016, 5:23:15 PM3/21/16
to securit...@googlegroups.com
It's all done from the command line using the ra* tools.  Argus collects very rich flow data and provides very powerful tools for flow analysis, but the learning curve in non-trivial.  If you just want to search for flows matching common criteria, or do basic flow aggregation, using ELSA to interact with BRO_CONN records is probably the best.  If you need to get fancier than ELSA/Bro can go with flows, then roll up your sleeves and start getting to know Argus.  I use Argus all the time and love it.  Wes's links are a good starting point.

Kevin


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Sabbo

unread,
Mar 21, 2016, 6:24:47 PM3/21/16
to security-onion
Thank you both for the responses, I will continue to use Bro Conn for this!

Interesting reads but my usecase is fairly simple!

Reply all
Reply to author
Forward
0 new messages