Argus 1.5 Software Engineering Institute Carnegie Mellon University argus@sei.cmu.edu ftp://ftp.sei.cmu.edu/pub/argus-1.5 This is to announce the availability of the public domain package, Argus, a generic IP network transaction auditing tool. Argus runs as an application level daemon, promiscuously reading network datagrams from a specified interface, and generates network traffic status records for the network activity that it encounters. Argus has been built and tested under SunOS 4.x, Solaris 2.3, and SGI IRIX5.2. The issue of portability has been principally addressed by the use of libpcap-0.0.x. Argus, enables a site to generate comprehensive network transaction audit logs, in a fashion that provides for high degrees of data reduction, and high degrees of semantic preservation. This has allowed us to perform extensive analysis of our network traffic, historically. The package includes two example programs for analyzing the network transaction audit logs. By processing these historical network logs, we have been able to, among other things: 1. Verify that our network security access control policies are actually being enforced and detect attempts to break through our firewall and host based mechanisms. 2. Perform grade of service analysis for every IP based network service that is offered in our network infrastructure. 3. Identify and troubleshoot difficult transient network problems such as intermittent service failure, denial of service attacks and host and network configuration problems. And by using the realtime features of Argus, we have been able to develop complex proactive network management tools. The data that Argus generates makes possible the ability to analyze network activity and performance in ways that have not been possible before. We are routinely answering questions such as: "Has anyone scanned this subnet for system vulnerabilities, such as that performed by SATAN?" "A new intrusion method has been discovered, has anyone tried to use it to attack the CERT Coordination Center's network in the past year?" "Did a new MUD server appear on any of the SEI machines last Tuesday?" "What network traffic was blocked by our router-enforced firewall?" "What is the average HTTP transaction connection time when a CMU host accesses MIT's WWW server?" "If we move the News server to another subnet, what other machines should be moved with it?" Each of these questions can be answered from the same historical network activity audit log. Comprehensive network transaction auditing can make a major impact on a sites network security. As we have had a great deal of success in using Argus to improve the network security at the Software Engineering Institute and CERT Coordination Center, we would like to emphasize this advantage of the use of Argus. We have found that comprehensive network transaction auditing can be a powerful network management tool, and we think that a large number of sites can benefit from the prototype work that we have done in this area. We hope that you find Argus and the support tools helpful. If you have any questions, comments or suggestions please send mail to argus@sei.cmu.edu. Again, thank you for your interest in Argus. Carter Bullard Software Engineering Institute Carnegie Mellon University wcb@sei.cmu.edu Chas DiFatta Software Engineering Institute Carnegie Mellon University chas@sei.cmu.edu