The sensor part of Argus is all about generating bi-directional network flow data. Within the open source sensor project, we focus on many parts of the sensor development problem; design, implementation, deployment, testing, configuration, maintenance and testing. But when we talk about sensor development, we try to focus on the technical issues of high performance packet processing; packet header parsing, bi-directional classification, sessionization, feature capture, data formats, and data transport.
The Argus sensor is both an operational real-time software sensor, capable of running at 100Gbps on commercially available commodity platforms, and a network traffic analytic, that processes packets for analysis and investigation, providing packet classification, sessionization, packet dynamic measurement, aggregation and periodic reporting. Ported to over 25 platforms, Argus can generate network flow data just about anywhere, providing the same dense network data, no matter where it's deployed.
Argus is designed based on a few principal goals.
In order to provide comprehensive network flow data, Argus cannot be statistical. When utilities need to know what is going on in a network, it can't get a statistical look. This complete accounting of all the packets observed is an primary goal of Argus and its data, and differentiates it from other flow systems.
Supporting operations, performance and security management analytics means that Argus data need to have the attributes that are needed for these tasks. Reachability indicators for operations management, loss detection for performance measurements, and content for security analytics, are just a few examples.
The world of network security has really advanced in the last 10 years, and Argus has kept pace, providing the richest general network flow data available today. Its comprehensive (non-statistical) transaction model is designed to support the complete NIST Cyber Security Framework, Identify, Protect, Detect, Respond and Recover. Advanced comprehensive network flow data, with metadata enhancements, embedded protocol verifications + payload capture provides the information needed to find network evidence of the bad thing, intrusion, exploitation, exfiltration, shadow IT. Whether the network activity reflects malware attempting to discover nodes in the local network, attempts to break into adjacent systems, stepping stone behavior, Argus data is rich enough to provide the basic information needed to identify and detect bad actor behavior in the network.
The argus sensor is a multi-threaded packet processor that relies on native operating system support to process live network packet streams, or to read packets from named pipes or files. It parses all network headers, until it finds the end-to-end Layer 3 Transport header, and then tracks the transport state until it times out due to an idle state.
Keeping up with new modern encapsulations, such as those in NVO3, GUE, VXLAN are important to keeping argus relevant. If you're interested in theoretical models of network communications, get involved.
Argus is best used in large distributed deployments. Helping argus to be free of complex configuration issues, and to support massive scale deployment, is a real challenge. If you like this type of development, get involved.