Argus is the first network flow system, developed by Carter Bullard in the early 1980's at Georgia Tech, and adapted for cyber security incident response at the first Computer Emergency Response Team (CERT) in Carnegie Mellon's Software Engineering Institute in the late 1980's. Since then, network flow technology has become a critical part of modern networking and cyber security and Argus has been an active part of that evolution.
Argus is network audit technology, providing a network activity audit engine for all network traffic, not just IP. It was modeled after the Public Switched Telephone Networks (PSTN) Call Detail Record (CDR), and is designed to account for all network activity in a way that can support all types of network management functions, including security management. Audit is a fundamental NIST security control.
The Argus Project is an open source project focused on proof of concept demonstrations of all aspects of large scale network awareness derived from network flow data. Argus, attempts to be the "bleeding edge" of network flow technology, processing packets really fast, either on the wire or in captures, into the richest network flow data available. The Argus system attempts to address a large number of the issues of network flow data processing; scale, performance, applicability, privacy and utility.
Even though Argus is a proof of concept project, it has been used operationally in US Govt, US DoD, DHS, DOE, large corporations and university networks world wide. It is widely used in network research, supporting diverse projects in network performance analysis, situational awareness, cyber security, machine learning and even Software Defined Networks (SDNs) chip design, just to name a few.
The Argus architecture is designed to support small and very large scale network auditing. The real-time data provides a lot of information, which can be stored in files for processing later, or the clients programs can be pieced together to provide real-time network data streams for simple network awareness, large scale distributed visibility, even active cyber defense.
If you are interested in using argus, grab the code and dive in. If you would like to participate in the development of Argus, sign up to the mailing lists, grab the code and start playing with what we have, so you can see where you can contribute.
Argus packages for Linux distros are maintained by a diverse group of teams and individuals, as a result Argus is available for RedHat, Debian, Suse, and Ubuntu using the native software management tools. For Ubuntu, just as an example:
% sudo apt install argus-server
% sudo apt install argus-clients
Argus has been ported to over 20 operating systems over the years, and there is a chance that the source code will compile on your system, as long as you use gcc, flex and bison.
Starting with the current development distro, 184.108.40.206, we'll develop and distribute argus from github.com.
We'll maintain the legacy source code repositories as we have been, but for new development and access to the latest and greatest, please see the github.com repos.
Binary packages for argus-3.0.8 can be generated from the argus distribution tar bundles. We will make packages available as we can make them, and we'll have links here.
If you have, know of, or are in a position to generate, a binary package for any missing platforms, please send mail to the mailing list. We can't accept packages without verifying content, etc..., so please mail the list and we'll discuss.
Argus-220.127.116.11 is the current stable version of argus, which you should get as a tarball using the links below.
Development versions of Argus-3.x, which are developed and discussed on the argus development mailing list are available, as alpha and beta code. These packages will have all the latest features, bug-fixes, as well as new bugs ;o). Packages are available here.
The use of Argus versions 2.x is now discouraged. Please consider running argus-3.0.x as your first choice for argus and its client programs. Source code for the these distributions can be downloaded via HTTP or FTP from the following locations:
Argus source requires libpcap, and the GNU bison, and it is suggested that you link argus with tcp_wrappers. Argus can also be linked to cyrus-sasl for remote access security. Copies of the most recent versions of these packages can be found at:
Argus is an open source project released under the GPLv2 License. We do want everyone to use Argus, so if the GPL is not to your liking, please contact us for other available licensing options.
Argus is a network audit system. It is composed of 2 packages. 1) A packet processing network flow sensor, argus, that generates Argus flow data, and 2) a collection of argus data processing programs, called argus-clients which can be coupled to build high performance data flow pipelines that can process network data in real-time, or uncoupled to support large data science analytics, such as statistical analysis and machine learning. The records can be processed to generate simple reports, such as billing or resource utilization reports on an endpoint basis. Argus performance metrics can be used to report on degradation of network function or verification of SLAs. The ability to label network flow data with geospatial information enables reports to be oriented around country, state, and AS number.
Many organizations store Argus records for up to 2 years, to support forensics investigations when a break-in is suspected or to generate compliance reports.
The Argus Project is divided into a number of efforts; data generation, transport, collection, storage, analytics and various metadata enhancements. People contribute to the project through opinions, testing, bug-fixes, modifications to existing programs and library routines, contributions of whole programs, suggestions on architectural approaches, as well coding style, and marketing, so there are many avenues for contribution.
A key element is the argus data generated by the sensor. Argus data can be considered is a superset of all the various flow data technologies today, NetFlow, Jflow, Qflow, Kflow, IPFIX, and the historical flow-tools. It's models, formats, and attributes are designed to support network operations, performance and cyber security, answering questions regarding historical, current and future network activity and use. The data has over 175 attributes covering network identification, services, resource utilization, and packet dynamics, and can be extended with metadata and content labeling. The rich feature set has been used in over 900 academic papers and dozens of PhD and Masters thesis investigating divergent topics ranging from machine learning and analytics for cyber security to SD-WAN chip architecture and design.
The argus sensor has been ported to over 24 platforms, that include all popular OSs, embedded in a number of systems, with support for realtime OSs, like pSoS, VxWorks, as well as modern SDN switches, clouds, VMs and wireless access points. Keeping argus current has always been a focus of the Argus Project and is a part of the project that can always use some help.
The argus-clients effort focuses on the large number of data processing efforts including but not limited to data distribution, collection, filtering, aggregation, binning, minimization, privacy, metadata enhancement, geolocation, net-spatial location, compression, anonymization, graphing, databases, analytics, storage, and error correction. With so much to do, you can image that here is a space that can use a lot of help.
We've added zeek conn log conversion to argus binary flow data in the new minor release of the argus clients programs. Zeek conversion is done using new functionality in raconvert.1, and we've introduced a new configuration file, raconvert.zeek.conf to the support/Config directory.
Converting zeek conn logs to argus binary records enables the use of Zeek data in the entire Argus framework. While Zeek isn't a network audit system, it is a great NDR system. Processing this data with argus should be really intersting.
COVID-19 really took a toll on Argus development, but we're back !!! We have new software to support Machine Learning which was developed with Sandia and Purdue University throughout 2021. We'll be releasing the Python library we developed in Mar/April. Please Stay Tuned !!!
We've uploaded the next release candidate for argus and its client programs, 18.104.22.168, which are available in the argus.dev directory. Lots of bug fixes, with key client features include JSON printing and better SQL support. This release is designed to support the ML development we're doing, so please take a look, and comment on the mailing list.
The CERIAS at Purdue University Summer Security Seminar Series will host a presentation by Carter Bullard on Network Predictive analytics using Argus. This will highlight the work we've done at DHS developing large scale network awareness for an enterprise SOC.
The European Union Agency for Cyber Security has published Introduction to Network Forensics, Final, Version 1.1, August 2019. This is an excellent document, and refers to the use of Argus quite a bit. Do take a look if you haven't seen it.
The best way to get started using argus, is to get the argus sensor and client software (see Getting Argus above), and play around with analyzing a few packet streams, to see how it basically works.