Argus is the first network flow system, developed by Carter Bullard in the early 1980's at Georgia Tech, and adopted for cyber security at Carnegie Mellon's Software Engineering Institute in the late 1980's. Network flow technology has become a critical part of modern cyber security and Argus is being used in some of the most important networks in the world.
The Argus Project is a privately funded open source project focused on proof of concept demonstrations of all aspects of large scale network awareness derived from network flow data. Argus, attempts to be the "bleeding edge" of network flow technology, processing packets really fast, either on the wire or in captures, into the richest network flow data available. The Argus system attempts ti address a large number of the issues of network flow data; scale, performance, applicability, privacy and utility.
At the heart is Argus Data, which is a superset of all the various flow data technologies today, NetFlow, Jflow, Qflow, Kflow, IPFIX, and the historical flow-tools. It's models, formats, and attributes are designed to support network operations, performance and cyber security, answering questions regarding historical, current and future network activity and use. The data has over 145 attributes covering network identification, services, resource utilization, packet dynamics, network activity metadata and content.
If you are interested in using argus, grab the code and dive in. If you would like to participate in the development of Argus, sign up to the mailing lists, grab the code and start playing with what we have, so you can see where you can contribute.
Argus is released under the GPLv2 License. We do want everyone to use Argus, so if the GPL is not to your liking, please contact us for other available licensing options.
Argus is composed of a packet processing network flow sensor, argus, that generates Argus data, and a collection of argus data processing programs, called argus-clients. The Argus Project is divided into a number of efforts; data generation, transport, collection, storage, analytics and various metadata enhancements. People contribute to the project through opinions, testing, bug-fixes, modifications to existing programs and library routines, contributions of whole programs, suggestions on architectural approaches, as well coding style, and marketing, so there are many avenues for contribution.
The argus sensor has been ported to over 24 platforms, that include all popular OSs, embedded in a number of systems, with support for realtime OSs, like pSoS, VxWorks, as well as modern SDN switches, clouds, VMs and wireless access points. Keeping argus current has always been a focus of the Argus Project and is a part of the project that can always use some help.
The argus-clients effort focuses on the large number of data processing efforts including but not limited to data distribution, collection, filtering, aggregation, binning, minimization, privacy, metadata enhancement, geolocation, net-spatial location, compression, anonymization, graphing, databases, analytics, storage, and error correction. With so much to do, you can image that here is a space that can use a lot of help.
We've uploaded the next release candidate for argus and its client programs, 220.127.116.11, which are available in the argus.dev directory. Lots of bug fixes, with key client features include JSON printing and better SQL support. This release is designed to support the ML development we're doing, so please take a look, and comment on the mailing list.
The CERIAS at Purdue University Summer Security Seminar Series will host a presentation by Carter Bullard on Network Predictive analytics using Argus. This will highlight the work we've done at DHS developing large scale network awareness for an enterprise SOC.
The European Union Agency for Cyber Security has published Introduction to Network Forensics, Final, Version 1.1, August 2019. This is an excellent document, and refers to the use of Argus quite a bit. Do take a look if you haven't seen it.
I've uploaded a number of Python examples to start off the Argus Data and ML sections. Primarily focused on 'Getting Started', I have a few examples for importing simple data and generating a few box and scatter plots. I'll add something a bit more edgy for Cyber analytics after the holidays.
We are now defining the basic ML effort of the open argus project. It will be focused on ML development environments and platforms for network based anomaly detection (NBAD) using Argus data and Machine Learning. Checkout the Argus + ML section on the new openargus.org web site.
The primary interest is realtime network anomaly detection using ML in large enterprises, which involves a complex process of data conditioning, ML model development and testing, and deployment.
If you have a specific interest in NBAD and ML, please get involved.
The Argus Project has moved to a new site, openargus.org. The site is still a work in progress, but it is an attempt to freshen the argus project and to introduce a new project focus for the open source effort.
We will attempt to support specific development projects, Machine Learning, NIDS, Policy and the general topic of Argus analytics. Please send your comments to the email list.
CounterFlow AI, is now a corporate sponsor of the Argus open source project. Joining the group of distinguished supporters, Stanford, Duke, Carniege Mellon and QoSient LLC. Through their generous gift, we're able to modernize the argus web site and to begin a set of new projects, that we hope will be of interest to the argus community.
If you also would like to help the Argus effort, please consider a sponsorship or donate to the open argus project.
The Argus Archives have now been moved to a new site @ pair.net and is being updated accordingly. We moved the last 20 years of the archive to the new site based on Gmane's NNTP retention times. If there is demand to add back the first 8 years, I'll see what we can do. With some crossed finger support, Google should start indexing the new site this week. The interface is a bit dated, as it is using Mailman v2 pipermail. With an update to Mailman v3, we'll move to HyperKitty. If you have suggestions, please send to the mailing list.
The NNTP collection and distribution of the argus newsgroup is still on going @ gname.org. Go to nntp://news.gmane.org/gmane.network.argus. If you have any problems, of course, send email to the list.
Happy New Year !!! Hope all is most excellent with each of you in 2019 !!
There is action in the Argus world for 2019. We're re-establishing the argus mailing-list archive, which was on gmane.org for so long. The NSF Advanced Measurement Initiative (AMI) Insight 2 project, which provides an Elastic Search, Kubana stack for argus data is coming to conclusion, and their software is in testing and should be available soon, and commercial ArgusPro is progressing nicely with commerical hardware and software versions of Argus. If you're looking for commerical licenses of Argus, supported versions, and/or really fast appliances, be sure and contact us. 2019 should be an exciting year.
Argus for clouds is a big deal in 2019, with cloud-init support for rpm and Debian based Linux. Strategies and considerations for cloud forensics analysis will be introduced in argus-18.104.22.168 with a argus-22.214.171.124 release, hopefully it will generate some good discussions.
We will be making Argus-126.96.36.199 available as the next dev / test version this quarter. It is a major bug fix distribution. We are planning an Argus-188.8.131.52 release at the beginning of the summer.
FloCon 2019 was an excellent conference this year, with a lot of Machine Learning and flow analytics presentations. FloCon is still the best flow conference today, so be sure and take a look at the agenda and slide decks. New Orleans was fun, next year it will be in Savannah, Ga.
Argus-184.108.40.206 is the stable, and current version of Argus. We are planning an Argus-220.127.116.11 release at the end of the year, to provide additional fixes. Argus-18.104.22.168 fixes a series of reported errors and should be considered a major bug fix release of argus. The companion argus-clients-22.214.171.124 represents a minor bug fix release of the argus client programs. Of course, there are a few issues still being worked out, as always. Please consider grabing this version for your production environments. The new release version of argus has been tested out quite a bit, and has been in production in a few sites for month(s). The principle changes are portability fixes (OpenWRT, Solaris, Windows), bugs reported by one of the national labs, better Debian package support and a few additional encapsulations, including GRE ERSPAN II, and Juniper packet capture.
Currently, the set of stable source code can be grabbed from these links:
The best way to get started using argus, is to get the argus and client software (see Getting Argus below), compile it on one of your Mac OS X, Linux, Unix or Cygwin enabled Windows systems, and play around with analyzing a few packet streams, to see how it basically works.
Binary packages for argus-3.0.8 can be generated from the argus distribution tar bundles. We will make packages available as we can make them, and we'll have links here.
If you have, know of, or are in a position to generate, a binary package for any missing platforms, please send mail to the mailing list. We can't accept packages without verifying content, etc..., so please mail the list and we'll discuss.
Argus-126.96.36.199 is the current stable version of argus, which you should get as a tarball using the links below.
Development versions of Argus-3.x, which are developed and discussed on the argus development mailing list are available, as alpha and beta code. These packages will have all the latest features, bug-fixes, as well as new bugs ;o). Packages are available here.
The use of Argus versions 2.x is now discouraged. Please consider running argus-3.0.x as your first choice for argus and its client programs. Source code for the these distributions can be downloaded via HTTP or FTP from the following locations:
Argus source requires libpcap, and the GNU bison, and it is suggested that you link argus with tcp_wrappers. Argus can also be linked to cyrus-sasl for remote access security. Copies of the most recent versions of these packages can be found at: