Argus
Argus is an open-source flow monitor
that computes a variety of connection statistics. The UNIX tool argus
processes either PCAP or NetFlow data and generates binary output. The companion
utility ra
transforms this binary output into a textual form that VAST can
parse.
Ingesting Argus data is a multi-stage process that involves the following steps:
- Read PCAP or NetFlow data with
argus
- Convert the binary Argus data into CSV with
ra
- Pipe the
ra
output tovast
Reading Network Data
To read a PCAP file, simply pass the file to -r
:
To read from standard input, use -r -
. Similarly, to write to standard
output, use -w -
.
Conversion to CSV
Converting argus
output to CSV requires the following flags:
-c ,
to enable CSV mode-L0
to print a header with field names once-n
suppress port nubmer to service conversions
The first column contains the timestamp, but unfortunately the default format
doesn't contain date numbers. Changing the timestamp format requires passing a
custom configuration file via -F ra.conf
with the following contents:
Finally, the -s +a,b,c,...
flag includes list of field names that should be
appended after the default fields. Please consult the manpage of ra
under the
-s
section for valid field names.
Put together, the following example generates valid CSV output for a PCAP file
called trace
:
This may generate the following output:
Ingestion
Since VAST supports CSV natively,
ingesting Argus CSV output only requires an apt schema. VAST already ships
with an argus schema containing a type argus.record
that covers all fields
from the ra
man page.
The following command imports a file argus.csv
:
Alternatively, this command pipeline processes a PCAP trace without intermediate file and ships the resulting events to a VAST node: