Argus is the first network flow system, developed by Carter Bullard in the early 1980's at Georgia Tech , and adopted for cyber security at the Software Engineering Institute's CERT-CC, at Carnegie Mellon University in the late 1980's.
The Argus Project is an open source project focused on demonstrating all aspects of large scale network situational awareness that can be derived from network activity data. Argus, attempts to be the "bleeding edge" of network flow technology, processing packets, either on the wire or in captures, into rich network flow data that can be used for hundreds of applications. The data, its models, formats, and attributes are designed to support Network Operations, Performance and Security Management. The goal of the of the Argus Project is to answer questions about what is going on in your network, historically, right now or in the near future. Hopefully, many will find Argus a useful tool.
The open source project works on network flow data generation, data distribution and analytics.
Argus is composed of an advanced comprehensive network flow data generator, the Argus sensor, which processes packets (either capture files or live packet data) and generates detailed network flow status reports of all the flows in the packet stream. Argus captures much of the packet dynamics and semantics of each flow, with a great deal of data reduction, so you can store, process, inspect and analyze large amounts of network data efficiently. Argus provides reachability, availability, connectivity, duration, rate, load, good-put, loss, jitter, retransmission, and delay metrics for all network flows, and captures most attributes that are available from the packet contents, such as L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indications, etc...
Argus is used by many sites to generate network activity reports for every network transaction on their networks. The network audit data that Argus generates is great for security, operations and performance management. The data is used for network forensics, non-repudiation, network asset and service inventory, behavioral baselining of server and client relationships, detecting covert channels, and analyzing Zero day events.
Argus is an Open Source project, currently running on Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, HP-UX, VxWorks, IRIX, Windows (under Cygwin) and OpenWrt, has been ported to many hardware accelerated platforms, such as Pluribus, Arista, and Tilera, and embedded in network adapters. The software should be portable to many other environments with little or no modifications. Performance is such that auditing an entire enterprise's Internet activity can be accomplished using modest computing resources.
The Argus Project has moved to a new site, openargus.org. The site is still a work in progress, but it is an attempt to freshen the argus project and to introduce a new project focus for the open source effort.
We will attempt to support specific development projects, Machine Learning, NIDS, Policy and the general topic of Argus analytics. Please send your comments to the email list.
CounterFlow AI, is now a corporate sponsor of the Argus open source project. Joining the group of distinguished supporters, Stanford, Duke and QoSient LLC. Through their generous gift, we're able to modernize the argus web site and to begin a set of new projects, that we hope will be of interest to the argus community.
If you also would like to help the Argus effort, please consider a sponsorship or donate to the open argus project.
The Argus Archives have now been moved to a new site @ pair.net and is being updated accordingly. We moved the last 20 years of the archive to the new site based on Gmane's NNTP retention times. If there is demand to add back the first 8 years, I'll see what we can do. With some crossed finger support, Google should start indexing the new site this week. The interface is a bit dated, as it is using Mailman v2 pipermail. With an update to Mailman v3, we'll move to HyperKitty. If you have suggestions, please send to the mailing list.
The NNTP collection and distribution of the argus newsgroup is still on going @ gname.org. Go to nntp://news.gmane.org/gmane.network.argus. If you have any problems, of course, send email to the list.
Happy New Year !!! Hope all is most excellent with each of you in 2019 !!
There is action in the Argus world for 2019. We're re-establishing the argus mailing-list archive, which was on gmane.org for so long. The NSF Advanced Measurement Initiative (AMI) Insight 2 project, which provides an Elastic Search, Kubana stack for argus data is coming to conclusion, and their software is in testing and should be available soon, and commercial ArgusPro is progressing nicely with commerical hardware and software versions of Argus. If you're looking for commerical licenses of Argus, supported versions, and/or really fast appliances, be sure and contact us. 2019 should be an exciting year.
Argus for clouds is a big deal in 2019, with cloud-init support for rpm and Debian based Linux. Strategies and considerations for cloud forensics analysis will be introduced in argus-188.8.131.52 with a argus-184.108.40.206 release, hopefully it will generate some good discussions.
We will be making Argus-220.127.116.11 available as the next dev / test version this quarter. It is a major bug fix distribution. We are planning an Argus-18.104.22.168 release at the beginning of the summer.
FloCon 2019 was an excellent conference this year, with a lot of Machine Learning and flow analytics presentations. FloCon is still the best flow conference today, so be sure and take a look at the agenda and slide decks. New Orleans was fun, next year it will be in Savannah, Ga.
Argus-22.214.171.124 is the stable, and current version of Argus. We are planning an Argus-126.96.36.199 release at the end of the year, to provide additional fixes. Argus-188.8.131.52 fixes a series of reported errors and should be considered a major bug fix release of argus. The companion argus-clients-184.108.40.206 represents a minor bug fix release of the argus client programs. Of course, there are a few issues still being worked out, as always. Please consider grabing this version for your production environments. The new release version of argus has been tested out quite a bit, and has been in production in a few sites for month(s). The principle changes are portability fixes (OpenWRT, Solaris, Windows), bugs reported by one of the national labs, better Debian package support and a few additional encapsulations, including GRE ERSPAN II, and Juniper packet capture.
Currently, the set of stable source code can be grabbed from these links:
The best way to get started using argus, is to get the argus and client software (see Getting Argus below), compile it on one of your Mac OS X, Linux, Unix or Cygwin enabled Windows systems, and play around with analyzing a few packet streams, to see how it basically works.
Binary packages for argus-3.0.8 can be generated from the argus distribution tar bundles. We will make packages available as we can make them, and we'll have links here.
If you have, know of, or are in a position to generate, a binary package for any missing platforms, please send mail to the mailing list. We can't accept packages without verifying content, etc..., so please mail the list and we'll discuss.
Argus-220.127.116.11 is the current stable version of argus, which you should get as a tarball using the links below.
Development versions of Argus-3.x, which are developed and discussed on the argus development mailing list are available, as alpha and beta code. These packages will have all the latest features, bug-fixes, as well as new bugs ;o). Packages are available here.
The use of Argus versions 2.x is now discouraged. Please consider running argus-3.0.x as your first choice for argus and its client programs. Source code for the these distributions can be downloaded via HTTP or FTP from the following locations:
Argus source requires libpcap, and the GNU bison, and it is suggested that you link argus with tcp_wrappers. Argus can also be linked to cyrus-sasl for remote access security. Copies of the most recent versions of these packages can be found at: