|
1 | 1 | /* |
2 | | - * Argus Client Software. Tools to read, analyze and manage Argus data. |
3 | | - * Copyright (c) 2000-2022 QoSient, LLC |
| 2 | + * Argus-5.0 Client Software. Tools to read, analyze and manage Argus data. |
| 3 | + * Copyright (c) 2000-2024 QoSient, LLC |
4 | 4 | * All rights reserved. |
5 | 5 | * |
6 | | - * This program is free software; you can redistribute it and/or modify |
7 | | - * it under the terms of the GNU General Public License as published by |
8 | | - * the Free Software Foundation; either version 2, or (at your option) |
9 | | - * any later version. |
10 | | - |
11 | | - * This program is distributed in the hope that it will be useful, |
12 | | - * but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | | - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
14 | | - * GNU General Public License for more details. |
15 | | - |
| 6 | + * This program is free software, released under the GNU General |
| 7 | + * Public License; you can redistribute it and/or modify it under the terms |
| 8 | + * of the GNU General Public License as published by the Free Software |
| 9 | + * Foundation; either version 3, or any later version. |
| 10 | + * |
| 11 | + * Other licenses are available through QoSient, LLC. |
| 12 | + |
| 13 | + * |
| 14 | + * This program is distributed WITHOUT ANY WARRANTY; without even the |
| 15 | + * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
| 16 | + * See the * GNU General Public License for more details. |
| 17 | + * |
16 | 18 | * You should have received a copy of the GNU General Public License |
17 | 19 | * along with this program; if not, write to the Free Software |
18 | | - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ |
| 20 | + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
19 | 21 | * |
20 | 22 | */ |
21 | 23 |
|
22 | 24 |
|
23 | | -CHANGES - This file attempts to capture the changes between argus-clients-3.0.8.4 |
24 | | - and argus-clients-3.0.8.5. There are some significant changes, so if I |
25 | | - missed anything, please be kind. |
| 25 | +Argus-5.0 Data Support |
| 26 | + |
| 27 | +Argus-5.0 is a public version of commercial argus, that provides enhanced |
| 28 | +functionality and performance. Argus-5.0 is designed to be completely |
| 29 | +backward compatible with the previous versions of open source argus and |
| 30 | +its program names, configuration, etc should be similar when possible. |
| 31 | + |
| 32 | +Product specific changes are provided with each product. When no |
| 33 | +specific changes are mentioned, gargoyle should be perceived as |
| 34 | +completely compatible, but enhanced. |
| 35 | + |
| 36 | + |
| 37 | +Argus Data Support |
| 38 | + |
| 39 | +Argus-5.0 represents a major change in argus data. The format |
| 40 | +was completely updated to support 128-bit uuid argus source id's, |
| 41 | +As a result there is no forward compatibility between argus-3.0 programs and |
| 42 | +argus-5.0 data. Argus-5.0 programs are backward compatible, however, so |
| 43 | +you can read and process your data with argus-5.0 programs. |
| 44 | + |
| 45 | +We have made provisions for argus-5.0 programs to generate argus-3.x formatted |
| 46 | +data, but that is configurable, and not the default behavior. So there is |
| 47 | +explicit conversion that will be going on under the covers. There is no |
| 48 | +compelling justification to convert your argus-3.x data, allowing you to leave |
| 49 | +the original data unmodified. |
| 50 | + |
| 51 | +Argus-5.0.0 and its clients provides for extended modes of transport of argus |
| 52 | +data, earlier version of argus-clients cannot read these transport formats. |
| 53 | + |
| 54 | +Argus-clients-5.0 provides extended capabilities for reading flow-tools |
| 55 | +originated data, and bro/zeek data and converting them to argus-5.0 data |
| 56 | +formats. |
| 57 | + |
| 58 | +Argus-clients-5.0.0 is backward compatible with all prior releases of |
| 59 | +argus data, fixing a large number of bugs, with regard to data represenation |
| 60 | +and processing. |
| 61 | + |
| 62 | + |
| 63 | +Architecture |
| 64 | + |
| 65 | +The client programs evolved quite a bit between argus-2.0, argus-3.0 and argus-5.0. |
| 66 | +With the addition of large scale argus data collection and distribution, using |
| 67 | +radium(), and rastream(). Argus-clients-5.0 extends this architecture, providing |
| 68 | +the ability to collect, distribute, archive, analyze, and process network flow |
| 69 | +data, for argus data, flow-tools data, netflow v5-8 partial sflow data processing, |
| 70 | +and zeek data conversion. |
| 71 | + |
| 72 | +radium(), and rastream() are the principal programs that have been added to the |
| 73 | +ra* family of programs. radium can connect to multiple sources of argus data, |
| 74 | +whether they are streams or files of data, and can write out data to multiple targets, |
| 75 | +supporting independant access control, authentication, and filtering per target. |
| 76 | +What this means is that you can build a argus data distribution tree, to collect, |
| 77 | +process and redistribute argus data. |
| 78 | + |
| 79 | +Rastream() is known as a stream block processors (SBP). You want to collect data |
| 80 | +from a set of argus data stream sources, and the data just keeps coming in. |
| 81 | +When/how can you stop to process the data, say for real-time indexing, search |
| 82 | +and/or processing? In the database world this is called 'stream block processing'. |
| 83 | +rastream() reads in argus data, and output the data into a set of files |
| 84 | +that make up a native OS filesystem based archive. rastream() extends |
| 85 | +this capability by implementing a wa hold buffer to allow for input sorting, |
| 86 | +and then based on command line options, rastream() can call scripts against the |
| 87 | +files after a time period or an event. We use rastream() to periodically commit |
| 88 | +data to an information system for indexing, searching, processing, compressing, |
| 89 | +and then archive. Say every 5 minutes, on the second, rastream() will close |
| 90 | +completed input files and then spawn any number of processes against those files. |
| 91 | + |
| 92 | +With these programs, we have collected data from as many as 5K argus data |
| 93 | +sources, and managed the data in a set of argus data respositories. |
| 94 | + |
| 95 | +Argus-clients-3.0.6 provides new capabilities in this area, allowing |
| 96 | +radium to "serve up" files that are generated by rastream(). |
| 97 | +See the manpages for radium.1 and ra.1. |
| 98 | + |
| 99 | + |
| 100 | +The clients distribution has been restructred in argus-5.0.0. It is organized |
| 101 | +into argus client Core Programs, and Examples. |
| 102 | + |
| 103 | +Client Core Programs |
| 104 | + ra - principal program that read, process, filter, and print argus data. |
| 105 | + racount - no basic changes. |
| 106 | + racluster - complete rewrite of argus aggregation strategies, |
| 107 | + and replaces ragator. |
| 108 | + |
| 109 | + radium - argus record collection and distribution program. |
| 110 | + |
| 111 | + ranonymize - updated for new data types. |
| 112 | + rasort - ported. |
| 113 | + |
| 114 | + ratop - massive rewrite. Completely new program. |
| 115 | + |
| 116 | +Client Example Programs |
| 117 | + These programs provide examples in key areas of argus data processing |
| 118 | +and management. |
| 119 | + |
| 120 | + argus data environment |
| 121 | + ratop - realtime argus data processing environment (curses based) |
| 122 | + provides vi() like functionality for streaming and file based flow data, |
| 123 | + supporting printing, searching, editing, sorting, writing argus data. |
| 124 | + |
| 125 | + argus data processing |
| 126 | + raconvert - ascii to binary data record conversion |
| 127 | + raevent - non flow data printing |
| 128 | + rafilteraddr - high performance filtering |
| 129 | + ralabel - semantic enhancement / metadata tagging |
| 130 | + rastream - stream block processing |
| 131 | + rastrip - data compression |
26 | 132 |
|
| 133 | + analytics |
| 134 | + rahisto - frequency distribution analysis for argus data metrics |
27 | 135 |
|
28 | | -Argus MetaData Support |
| 136 | + graphing |
| 137 | + ragraph - time series graphing (rrd-tool based) |
| 138 | + raplot - general plotting (gnuplot based) |
29 | 139 |
|
30 | | -Argus MetaData Support |
| 140 | + storage management |
| 141 | + ramysql - mysql based utilities |
| 142 | + rasql - read native argus data from mysql database tables. |
| 143 | + rasqlinsert - insert and read argus data from/to mysql data tables. |
| 144 | + rasqltimeindex - generate argus data file time indexes for searching. |
31 | 145 |
|
32 | | -In 3.0.8.5 we added JSON format support for the label. In the clients, we have |
33 | | -a configuration variable for the rarc file that can cause any client to convert |
34 | | -the label to JSON. By default, this is turned off. |
| 146 | + forensics |
| 147 | + radump - decode captured user data |
| 148 | + ragrep - regular expression matching from captured user data |
| 149 | + raservices - user data analysis to determine used protocol |
35 | 150 |
|
36 | | -All argus clients support the '-M label="regex"' option, which search the contents |
37 | | -of the label string in flow records, and processes those records that match. |
38 | | -Knowing that the format is JSON may impact the format of your regex. |
| 151 | + reporting |
| 152 | + radark - scanner detection and reporting |
| 153 | + rascan - scanner detection and reporting |
| 154 | + rahosts - IP address inventory reporting |
| 155 | + raips - IP address inventory reporting |
| 156 | + rapath - print topology information derived from argus data |
| 157 | + rapolicy - continuous access control policy verification |
| 158 | + raports - application port usage |
| 159 | + rarpwatch - arpwatch driven using argus data |
| 160 | + ratimerange - argus data file time span |
39 | 161 |
|
40 | | -When you aggregate flow records, the labels get merged, and the resulting structures |
41 | | -will be stored either as legacy or JSON. |
| 162 | + development |
| 163 | + ratemplate - ra client development template when using the argus clients library. |
42 | 164 |
|
43 | | -When you read either formats, the clients will retain the original format for 3.0 Argus. |
44 | 165 |
|
45 | | -In Argus 4.0, we intend to shift all metadata to JSON, so this is a transition strategy. |
|
0 commit comments