Skip to content

Instantly share code, notes, and snippets.

@mbrownnycnyc
Last active December 17, 2015 08:59
Show Gist options
  • Save mbrownnycnyc/5583772 to your computer and use it in GitHub Desktop.
Save mbrownnycnyc/5583772 to your computer and use it in GitHub Desktop.
argus.conf for use with the argus flow probe
#
# Argus Software
# Copyright (c) 2000-2012 QoSient, LLC
# All rights reserved.
#
# Example argus.conf
#
# Argus will open this argus.conf if its installed as /etc/argus.conf.
# It will also search for this file as argus.conf in directories
# specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib,
# or $HOME, $HOME/lib, and parse it to set common configuration
# options. All values in this file can be overriden by command
# line options, or other files of this format that can be read in
# using the -F option.
#
#
# Variable Syntax
#
# Variable assignments must be of the form:
#
# VARIABLE=value
# VARIABLE="compound values"
#
# with no white space between the VARIABLE and the '=' sign.
#
#
# Comments
#
# Comments are supported using a '#' as the first character
# in the string, such as this string that you are reading.
#
# Embedded comments are supported preceeded by a " //" as you
# see in the C language. The preceeding white space is very important.
# The space or tab is absolutely required to delimit the end of the
# variable values and the beginning of the comment. Without the space,
# the comment will be included as a part of the configuration variable.
#
# VARIABLE=value // comment
# VARIABLE="compound values" // comment
#
#
# Variable Explanations
#
# The Argus can be configured to support a large number of
# flow types. The Argus can provide either type, i.e.
# uni-directional or bi-directional flow tracking and
# the flow can be further defined by specifying the key.
# The argus supports a set of well known key strategies,
# such as 'CLASSIC_5_TUPLE', 'LAYER_3_MATRIX', 'LAYER_2_MATRIX',
# 'MPLS', and/or 'VLAN', or the argus can be configured to
# formulate key strategies from a list of the specific
# objects that the Argus understands. See the man page for
# a complete description.
#
# The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE.
#
ARGUS_FLOW_TYPE="Bidirectional"
ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
# Argus is capable of running as a daemon, doing all the right things
# that daemons do. When this configuration is used for the system
# daemon process, say for /etc/argus.conf, this variable should be
# set to "yes".
#
# The default value is to not run as a daemon.
#
# This example is to support the ./support/Startup/argus script
# which works when this variable be set to "yes".
#
# Commandline equivalent -d
#
#ARGUS_DAEMON=no
# Argus Monitor Data is uniquely identifiable based on the source
# identifier that is included in each output record. This is to
# allow you to work with Argus Data from multiple monitors at the
# same time. The ID is 32 bits long, and argus suppors a number of
# formats as legitimate values. Argus support unsigned ints, IPv4
# addresses and 4 bytes strings, as values.
#
# The formats are discerned from the values provided. Double-quoted
# values are treated as strings, and are truncated to 4 characters.
# Non-quoted values are tested for whether they are hostnames, and if
# not, then they are tested wheter they are numbers.
#
# The configuration allows for you to use host names, however, do
# have some understanding how `hostname` will be resolved by the
# nameserver before commiting to this strategy completely.
#
# For convenience, argus supports the notion of "`hostname`" for
# assigning the probe's id. This is to support management of
# large deployments, so you can have one argus.conf file that works
# for a lot of probes.
#
# For security, argus does not rely on system programs, like hostname.1.
# It implements the logic of hostname itself, so don't try to run
# arbitrary programs using this method, because it won't work.
#
# Commandline equivalent -e
#
#ARGUS_MONITOR_ID=`hostname` // IPv4 address returned
#ARGUS_MONITOR_ID=10.2.45.3 // IPv4 address
#ARGUS_MONITOR_ID=2435 // Number
ARGUS_MONITOR_ID="ny-sentinel" # // String
# Argus monitors can provide a real-time remote access port
# for collecting Argus data. This is a TCP based port service and
# the default port number is tcp/561, the "experimental monitor"
# service. This feature is disabled by default, and can be forced
# off by setting it to zero (0).
#
# When you do want to enable this service, 561 is a good choice,
# as all ra* clients are configured to try this port by default.
#
# Commandline equivalent -P
#
#ARGUS_ACCESS_PORT=561
# When remote access is enabled (see above), you can specify that Argus
# should bind only to a specific IP address. This is useful, for example,
# in restricting access to the local host, or binding to a private
# interface while capturing from another.
#
# You can provide multiple addresses, separated by commas, or on multiple
# lines.
#
# The default is to bind to any IP address.
#
# Commandline equivalent -B
#
#ARGUS_BIND_IP="::1,127.0.0.1"
#ARGUS_BIND_IP="127.0.0.1"
#ARGUS_BIND_IP="192.168.0.68"
# By default, Argus will open the first appropriate interface on a
# system that it encounters. For systems that have only one network
# interface, this is a reasonable thing to do. But, when there are
# more than one suitable interface, you should specify the
# interface(s) Argus should use either on the command line or in this
# file.
#
# Argus can track packets from any or all interfaces, concurrently.
# The interfaces can be tracked as:
# 1. independant - this is where argus tracks flows from each
# interface independant from the packets seen on any other
# interface. This is useful for hosts/routers that
# have full-duplex interfaces, and you want to distinguish
# flows based on their interface. There is an option to specify
# a distinct srcid to each independant modeler.
#
# 2. duplex - where argus tracks packets from 2 interfaces
# as if they were two half duplex streams of the same link.
# Because there is a single modeler tracking the 2
# interfaces, there is a single srcid that can be passed as
# an option.
#
# 3. bonded - where argus tracks packets from multiple interfaces
# as if they were from the same stream. Because there is a
# single modeler tracking the 2 interfaces, there is a single
# srcid that can be passed as an option.
#
# Interfaces can be specified as groups using '[',']' notation, to build
# flexible definitions of packet sources. However, each interface
# should be referenced only once (this is due to performance and OS
# limitations, so if your OS has no problem with this, go ahead).
#
# The lo (loopback) interface will be included only if it is specifically
# indicated in the option.
#
# The syntax for specifying this either on the command line or in this file:
# -i ind:all
# -i dup:en0,en1/srcid
# -i bond:en0,en1/srcid
# -i dup:[bond:en0,en1],en2/srcid
# -i en0/srcid -i en1/srcid (equivalent '-i ind:en0/srcid,en1/srcid')
# -i en0 en1 (equivalent '-i bond:en0,en1')
# -i en1(dlt)/srcid -i en1(dlt)/srcid
#
# In all cases, if there is a "-e srcid" provided, the srcid provided is used
# as the default. If a srcid is specified using this option, it overrides
# the default.
#
# Srcid's are specified using the notion used for ARGUS_MONITOR_ID, as above.
#
# Commandline equivalent -i
#
#ARGUS_INTERFACE=any
#ARGUS_INTERFACE=ind:all
#ARGUS_INTERFACE=ind:en0/192.168.0.68,en2/192.168.2.1
#ARGUS_INTERFACE=ind:en0/"en0",en2/19234
#ARGUS_INTERFACE=en0
# By default, Argus will put its interface in promiscuous mode
# in order to monitor all the traffic that can be collected.
# This can put an undo load on systems.
# If the intent is to monitor only the network activity of
# the specific system, say to measure the performance of
# an HTTP service or DNS service, you'll want to turn
# promiscuous mode off.
#
# The default value is go into prmiscuous mode.
#
# Commandline equivalent -p
#
#ARGUS_GO_PROMISCUOUS=yes
# Argus supports chroot(2) in order to control the file system that
# argus exists in and can access. Generally used when argus is running
# with privileges, this limits the negative impacts that argus could
# inflict on its host machine.
#
# This option will cause the output file names to be relative to this
# directory, and so consider this when trying to find your output files.
#
# Commandline equivalent -c
#
#ARGUS_CHROOT_DIR=/chroot_dir
# Argus can be configured to enable detailed control plane
# flow monitoring for specific control plane protocols.
#
# This feature requires full packet capture for the monitored
# interface in order to capture the complete control plane
# protocol, and will have a performance impact on the sensor.
#
# The default is to not turn this feature on.
#
# Commandline equivalent -C
#
#ARGUS_CAPTURE_FULL_CONTROL_DATA=no
# Argus can be directed to change its user id using the setuid() system
# call. This is can used when argus is started as root, in order to
# access privileged resources, but then after the resources are opened,
# this directive will cause argus to change its user id value to
# a 'lesser' capable account. Recommended when argus is running as
# daemon.
#
# Commandline equivalent -u
#
#ARGUS_SETUSER_ID=user
# Argus can be directed to change its group id using the setgid() system
# call. This is can used when argus is started as root, in order to
# access privileged resources, but then after the resources are opened,
# this directive can be used to change argu's group id value to
# a 'lesser' capable account. Recommended when argus is running as
# daemon.
#
# Commandline equivalent -g
#
#ARGUS_SETGROUP_ID=group
# Argus can write its output to one or a number of files.
# The default limit is 5 concurrent files, each with their
# own independant filters.
#
# The format is:
# ARGUS_OUTPUT_FILE=/full/path/file/name
# ARGUS_OUTPUT_FILE="/full/path/file/name filter"
#
# Most sites will have argus write to a file, for reliablity.
# The example file name is used here as supporting programs,
# such as ./support/Archive/argusarchive are configured to use
# this file (with any chroot'd directory prepended).
#
# Commandline equivalent -w
#
#ARGUS_OUTPUT_FILE=/var/log/argus/argus.out
# Argus can push its output to one or a number of remote hosts.
# The default limit is 5 concurrent output streams, each with their
# own independant filters.
#
# The format is:
# ARGUS_OUTPUT_STREAM="URI [filter]"
# ARGUS_OUTPUT_STREAN="argus-udp://multicastGroup:port
# ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'"
#
# Most sites will have argus listen() for remote sites to request argus data,
# using a "pull" data model. But for some sites and applications, pushing
# records without explicit registration is desired. This option will cause
# argus to transmit records that match the optional filter, to the configured
# targets using UDP as the transport mechanism.
#
# The primary purpose for this feature is to multicast argus records to
# a number of listeners on an interface, but it is not limited to this
# purpose. The multicast TTL is set to 128 by default, so that you can
# send records some distance.
#
# Commandline equivalent -w argus-udp://host:port
#
#ARGUS_OUTPUT_STREAM=argus-udp://224.0.20.21:561
# When Argus is configured to run as a daemon, with the -d
# option, Argus can store its pid in a file, to aid in
# managing the running daemon. However, creating a system
# pid file requires priviledges that may not be appropriate
# for all cases.
#
# When configured to generate a pid file, if Argus cannot
# create the pid file, it will fail to run. This variable
# is available to override the default, in case this gets
# in your way.
#
# The default value is to generate a pid. The default
# path for the pid file, is '/var/run'.
#
# No Commandline equivalent
#
ARGUS_SET_PID=yes
ARGUS_PID_PATH="/var/run"
# Argus will periodically report on a flow's activity every
# ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is
# new activity on the flow. This is so that you can get a
# multiple status reports into the activity of a flow. The
# default is 5 seconds, but this number may be too low or
# too high depending on your uses. Argus does suppport
# a minimum value of 0.000001 seconds. Values under 1 sec
# are very useful for doing measurements in a controlled
# experimental environment where the number of flows is small.
#
# Because the status interval affects the memory utilization
# of the monitor, find the minimum acceptable value is
# recommended.
#
# Commandline equivalent -S
#
ARGUS_FLOW_STATUS_INTERVAL=60
# Argus will periodically report on a its own health, providing
# interface status, total packet and bytes counts, packet drop
# rates, and flow oriented statistics.
#
# These records can be used as "keep alives" for periods when
# there is no network traffic to be monitored.
#
# The default value is 300 seconds, but a value of 60 seconds is
# very common.
#
# Commandline equivalent -M
#
ARGUS_MAR_STATUS_INTERVAL=300
# Argus has a number of flow state timers that specify how long argus
# will 'remember' the caches of specific flows after they have gone
# idle.
#
# The default values have been chosen to aggresively timeout flow
# caches to conserve memory utilization. Increasing values can have
# an impact on argus memory use, so take care when modifying values.
#
# If you think there is a flow type that doesn't have appropriate
# timeout support, send email to the developer's list, we'll add one
# for you.
#
#ARGUS_IP_TIMEOUT=30
#ARGUS_TCP_TIMEOUT=60
#ARGUS_ICMP_TIMEOUT=5
#ARGUS_IGMP_TIMEOUT=30
#ARGUS_FRAG_TIMEOUT=5
#ARGUS_ARP_TIMEOUT=5
#ARGUS_OTHER_TIMEOUT=30
# If compiled to support this option, Argus is capable of
# generating a lot of debug information.
#
# The default value is zero (0).
#
# Commandline equivalent -D
#
#ARGUS_DEBUG_LEVEL=0
# Argus can be configured to report on flows in a manner than
# provides the best information for calculating application
# reponse times and network round trip times.
#
# The default value is to not generate this data.
#
# Commandline equivalent -R
#
#ARGUS_GENERATE_RESPONSE_TIME_DATA=no
# Argus can be configured to generate packet size information
# on a per flow basis, which provides the max and min packet
# size seen . The default value is to not generate this data.
#
# Commandline equivalent -Z
#
#ARGUS_GENERATE_PACKET_SIZE=yes
# Argus can be configured to generate packet jitter information
# on a per flow basis. The default value is to not generate
# this data.
#
# Commandline equivalent -J
#
#ARGUS_GENERATE_JITTER_DATA=no
# Argus can be configured to provide MAC addresses in
# it audit data. The default value is to not generate
# this data.
#
# Commandline equivalent -m
#
#ARGUS_GENERATE_MAC_DATA=yes
# Argus can be configured to generate metrics that include
# the application byte counts as well as the packet count
# and byte counters.
#
# Commandline equivalent -A
#
ARGUS_GENERATE_APPBYTE_METRIC=yes
# Argus by default, generates extended metrics for TCP
# that include the connection setup time, window sizes,
# base sequence numbers, and retransmission counters.
# You can suppress this detailed information using this
# variable.
#
# No commandline equivalent
#
#ARGUS_GENERATE_TCP_PERF_METRIC=yes
# Argus by default, generates a single pair of timestamps,
# for the first and last packet seen on a given flow, during
# the obseration period. For bi-directional flows, this
# results in loss of some information. By setting this
# variable to 'yes', argus will store start and ending
# timestamps for both directions of the flow.
#
# No commandline equivalent
#
#ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=yes
# Argus can be configured to capture a number of user data
# bytes from the packet stream.
#
# The default value is to not generate this data.
#
# Commandline equivalent -U
#
ARGUS_CAPTURE_DATA_LEN=256
# Argus uses the packet filter capabilities of libpcap. If
# there is a need to not use the libpcap filter optimizer,
# you can turn it off here. The default is to leave it on.
#
# Commandline equivalent -O
#
#ARGUS_FILTER_OPTIMIZER=yes
# You can provide a filter expression here, if you like.
# It should be limited to 2K in length. The default is to
# not filter.
#
# The commandline filter will override this filter expression.
#
ARGUS_FILTER="not (src net 192.168.18.0/24 and dst net 192.168.17.0/24) and not (src net 192.168.17.0/24 and dst net 192.168.18.0/24) and not (src net 192.168.3.0/24 and dst net 192.168.2.0/24) and not (src net 192.168.2.0/24 and dst net 192.168.3.0/24)" #
# Argus allows you to capture packets in tcpdump() format if the source
# of the packets is a tcpdump() formatted file or live packet source.
#
# Specify the path to the packet capture file here.
#
# Argus can be further configured to either capture all packets (default) that
# it receives, or to capture only the packets that cause internal errors,
# such as those that can't be classified into an appropritate flow model.
#
# Specify the path to the packet capture file here.
#
#ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out"
#ARGUS_PACKET_CAPTURE_ON_ERROR="no"
# Argus supports the use of SASL to provide strong
# authentication and confidentiality protection.
#
# The policy that argus uses is controlled through
# the use of a minimum and maximum allowable protection
# strength. Set these variable to control this policy.
#
#ARGUS_MIN_SSF=40
#ARGUS_MAX_SSF=128
# Argus supports setting environment variables to enable
# functions required by the kernel or shared libraries.
# This feature is intended to support libraries such as
# the net pf_ring support for libpcap as supported by
# code at http://public.lanl.gov/cpw/
#
# Setting environment variables in this way does not affect
# internal argus variable in any way. As a result, you
# can't set ARGUS_PATH using this feature.
#
# Care should must be taken to assure that the value given
# the variable conform's to your systems putenv.3 system call.
# You can have as many of these directives as you like.
#
# The example below is intended to set a libpcap ring buffer
# length to 300MB, if your system supports this feature.
#
#ARGUS_ENV="PCAP_MEMORY=300000"
# Argus can be configured to discover tunneling protocols
# above the UDP transport header, specifically Teredo
# (IPv6 over UDP). The algorithm is simple and so, having
# this on by default may generate false tunnel matching.
# The default is to not turn this feature on.
#ARGUS_TUNNEL_DISCOVERY="no"
# Argus can be configured to be self synchronizing with other
# argi. This involves using state from packets contents to
# synchronize the flow reporting.
#
#ARGUS_SELF_SYNCHRONIZE=yes
# Argus supports the generation of host originated processes
# to gather additional data and statistics. These include
# periodic processes to poll for SNMP data, as an example, or
# to collect host statistics through reading procfs(). Or
# single run programs that run at a specified time.
#
# These argus events, are generated from the complete list of
# ARGUS_EVENT_DATA directives that are specified here.
#
# The syntax is:
# Syntax is: "method:path|prog:interval[:postproc]"
# Where: method = [ "file" | "prog" ]
# pathname | program = "%s"
# interval = %d[smhd] [ zero means run once ]
# postproc = [ "compress" | "compress2" ]
#
#ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-vms:20s:compress"
#ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-snmp:1m:compress"
#ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress"
#ARGUS_EVENT_DATA="prog:/usr/bin/uptime:30s"
#ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-lsof:30s:compress"
# This version of Argus supports keystroke detection and counting for
# TCP connections, with specific algoritmic support for SSH connections.
#
# The ARGUS_KEYSTROKE variable turns the feature on. Values for
# this variable are:
# ARGUS_KEYSTROKE="yes" - turn on TCP flow tracking
# ARGUS_KEYSTROKE="tcp" - turn on TCP flow tracking
# ARGUS_KEYSTROKE="ssh" - turn on SSH specific flow tracking
# ARGUS_KEYSTROKE="no" [default]
#
# The algorithm uses a number of variables, all of which can be
# modifed using the ARGUS_KEYSTROKE_CONF descriptor, which is a
# semicolon (';') separated set of variable assignments. Here is
# the list of supported variables:
#
# DC_MIN - (int) Minimum client datagram payload size in bytes (48)
# DC_MAX - (int) Maximum client datagram payload size in bytes (128)
# GS_MAX - (int) Maximum server packet gap (3)
# DS_MIN - (int) Minimum server datagram payload size in bytes (24)
# DS_MAX - (int) Maximum server datagram payload size in bytes (256)
# IC_MIN - (int) Minimum client interpacket arrival time (50000 microseconds)
# LCS_MAX - (int) Maximum something - Not sure what this is
# GPC_MAX - (int) Maximum client packet gap (3)
# ICR_MIN - (float) Minimum client/server interpacket arrival ratio (0.816)
# ICR_MAX - (float) Maximum client/server interpacket arrival ratio (1.122)
#
# All variables have default values, this variable is used to override
# those values. The syntax for the variable is:
#
# ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20"
#
#ARGUS_KEYSTROKE="no"
#ARGUS_KEYSTROKE_CONF="GPC_MAX=4"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment