Skip to main content

Putting the N in EDR

Argus is a very light-weight network sensor that can run on Linux, MacOS and Windows endpoints. Running as a daemon, not as an agent, Argus can act as a "nauditd" generating network activity audit logs for all the communications on the host.  Having an audit log of the network activity of a system provides the evidence that is needed to do NDR within the endpoint, much like a users login log, but for network usage.

Commercial EDR products, generally do not monitor network traffic. Host-based endpoint detection technology focus primarily on system log analytics, file system evidence, memory based malware signatures, and process resource usage to 'find the bad guy'. We propose that a light-weight network activity audit daemon can provide the missing data for most if not all security incidents in large networks.


Argus has a long history of running on endpoints.  At Georgia Tech, we had lots of systems, and we ended up porting Argus to anything we had that we could run libpcap.1 on, and that was a lot of BSD and System V Unix systems, Sun, DEC, Pyramid, Sequent, BBN, AT&T just to name a few.  We built the first dedicated continuous network flow monitor using Argus and a Sun workstation with an extra ethernet card in 1986, watching the Georgia Tech network at its external border.  Practically it was an workstation with a curious network monitoring function on it, conceptually it was a dedicated network monitoring appliance, but in the middle 80's, that wasn't how anyone thought about this type of technology.  As a result, Argus is an endpoint network monitor at its roots.



The trick to being an endpoint network flow monitor, is what endpoints do you support ?  If you only run on Linux, you're really a Linux network flow monitor.  To support the concept that all endpoints should generate network visibility and accountability data, your approach needs to run on all the endpoints you're talking about.  

Porting Argus to as many platforms as possible was a big drive for the project throughout the 1990's and 2000's.  We integrated Argus into network adapter cards, ethernet and ATM adapters, and we developed native argus sensors for Apple Macintosh and Windows.  These were projects in venture startups, large corporations and US Government sites, so they didn't make it into the open source project.  When we started working with Argus at the Naval Research Laboratory (NRL) in mid 2000's, we ported Argus to super computers (SGI, IBM, HP, Cray), to Apple Macs and Windows machines and every version of Linux, Unix, IRIX we could find.

To drive Argus's performance, we ported it to some pretty exotic hardware.  Argus was ported to Tilera multi-core processors, in order to demonstrate that flow generation could scale, and to Endace Infiniband network sensors in order to measure and monitor native Infiniband network traffic at ludicrous speeds.  Most of this work is reflected in the design, structure and implementation of the open source Argus.

Argus has evolved to be very efficient with limited resource demands.  Its data model(s) keep the cycles per packet down, its cache management keeps memory requirements low, and the data storage demand is easily met with modern endpoints.

Today Argus  runs very well on most modern computers, laptops and some tablets.  We develop on Mac OS X and RedHat Linux, and there are many Linux distributions that maintain deployable Argus binaries.  Still based on libpcap.1, Microsoft Windows is well supported when there is libpcap.1 style support available, such Windows Subsystem for Linux (WSL), winpcap (legacy) and npcap.

Why the Endpoint

Providing network visibility and awareness for every asset in your enterprise, organization, office, or house is a cyber security inevitability.  The cyber protection strategies for most places is still border protections, selective isolation, segmentation, and IPS and IDS to try to keep the bad guy out.

This approach is no longer viable, because attacks bypass these protection strategies and introduce malware, covert agents, bad actors directly onto end systems through means that are not really controllable.  A single HTTP interaction, or the click of a mouse button over an icon of a file in an email can introduce bad actors directly into the enterprise.  

This should compel enterprises to track the network activity of each of its endpoints, so at least detect when these conditions exist. The issue is, "can you introduce a network audit facility that doesn't take up too many resources"?

If the facility is designed to be very light weight, and still provide the data features needed to detect bad actor and victim behavior, then the answer should be "yes" !!!


The argus sensor is a multi-threaded packet processor that relies on native operating system support to process live network packet streams, or to read packets from named pipes or files.  It parses all network headers, until it finds the end-to-end Layer 3 Transport header, and then tracks the transport state until it times out due to an idle state.

Keeping up with new modern encapsulations, such as those in NVO3, GUE, VXLAN are important to keeping argus relevant.  If you're interested in theoretical models of network communications, get involved.

Argus is best used in large distributed deployments.  Helping argus to be free of complex configuration issues, and to support massive scale deployment, is a real challenge.  If you like this type of development, get involved.