File: argus.conf

package info (click to toggle)
argus 2:3.0.8.2-1
  • links: PTS
  • area: main
  • in suites: bullseye, buster, sid, stretch
  • size: 3,028 kB
  • sloc: ansic: 38,751; sh: 3,751; lex: 466; yacc: 372; makefile: 356; perl: 34
file content (660 lines) | stat: -rw-r--r-- 21,828 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
# 
# Argus Software
# Copyright (c) 2000-2015 QoSient, LLC
# All rights reserved.
# 
# Example  argus.conf
#
# Argus will open this argus.conf if its installed as /etc/argus.conf.
# It will also search for this file as argus.conf in directories
# specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib,
# or $HOME, $HOME/lib, and parse it to set common configuration
# options.  All values in this file can be overriden by command
# line options, or other files of this format that can be read in
# using the -F option.
#
#
# Variable Syntax
# 
# Variable assignments must be of the form:
#
#   VARIABLE=value
#   VARIABLE="compound values"
#
# with no white space between the VARIABLE and the '=' sign.
#
#
# Comments
#
# Comments are supported using a '#' as the first character
# in the string, such as this string that you are reading.
# 
# Embedded comments are supported preceeded by a " //" as you
# see in the C language.  The preceeding white space is very important.
# The space or tab is absolutely required to delimit the end of the 
# variable values and the beginning of the comment.  Without the space,
# the comment will be included as a part of the configuration variable.
#
#   VARIABLE=value // comment
#   VARIABLE="compound values" // comment
#
#
# Variable Explanations
#
# The Argus can be configured to support a large number of
# flow types.  The Argus can provide either type, i.e.
# uni-directional or bi-directional flow tracking and
# the flow can be further defined by specifying the key.
# The argus supports a set of well known key strategies,
# such as 'CLASSIC_5_TUPLE', 'LAYER_2', 'LAYER_2_MATRIX',
# 'LAYER_2_MATRIX', 'MPLS', and/or 'VLAN', or the argus can
# be configured to # formulate key strategies from a list of
# the specific objects that the Argus understands.  See the
# man page for a complete description.
#
# The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE.
#

ARGUS_FLOW_TYPE="Bidirectional"
ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
#ARGUS_FLOW_KEY="CLASSIC_5_TUPLE+LAYER_2"


# Argus is capable of running as a daemon, doing all the right things
# that daemons do.  When this configuration is used for the system
# daemon process, say for /etc/argus.conf, this variable should be
# set to "yes".
#
# The default value is to not run as a daemon.
#
# This example is to support the ./support/Startup/argus script
# which works when this variable be set to "yes".
#
# Commandline equivalent   -d
#

#ARGUS_DAEMON=no // "yes" will break startup via the default systemd service


# Argus Monitor Data is uniquely identifiable based on the source
# identifier that is included in each output record.  This is to
# allow you to work with Argus Data from multiple monitors at the
# same time.  The ID is 32 bits long, and argus suppors a number of
# formats as legitimate values. Argus support unsigned ints, IPv4
# addresses and 4 bytes strings, as values.
#
# The formats are discerned from the values provided.  Double-quoted
# values are treated as strings, and are truncated to 4 characters.
# Non-quoted values are tested for whether they are hostnames, and if
# not, then they are tested wheter they are numbers.
#
# The configuration allows for you to use host names, however, do
# have some understanding how `hostname` will be resolved by the
# nameserver before commiting to this strategy completely.
#
# For convenience, argus supports the notion of "`hostname`" for
# assigning the probe's id.  This is to support management of
# large deployments, so you can have one argus.conf file that works
# for a lot of probes.
#
# For security, argus does not rely on system programs, like hostname.1.
# It implements the logic of hostname itself, so don't try to run
# arbitrary programs using this method, because it won't work.
#
# Commandline equivalent   -e
#
                                          
#ARGUS_MONITOR_ID=`hostname`    // IPv4 address returned
#ARGUS_MONITOR_ID=10.2.45.3     // IPv4 address
#ARGUS_MONITOR_ID=2435          // Number
#ARGUS_MONITOR_ID="en0"         // String
                                          

# Argus monitors can provide a real-time remote access port
# for collecting Argus data.  This is a TCP based port service and
# the default port number is tcp/561, the "experimental monitor"
# service.  This feature is disabled by default, and can be forced
# off by setting it to zero (0).
#
# When you do want to enable this service, 561 is a good choice,
# as all ra* clients are configured to try this port by default.
#
# Commandline equivalent   -P
#

#ARGUS_ACCESS_PORT=561


# When remote access is enabled (see above), you can specify that Argus
# should bind only to a specific IP address. This is useful, for example,
# in restricting access to the local host, or binding to a private
# interface while capturing from another.
#
# You can provide multiple addresses, separated by commas, or on multiple
# lines.
#
# The default is to bind to any IP address.
#
# Commandline equivalent  -B
#

#ARGUS_BIND_IP="::1,127.0.0.1"
#ARGUS_BIND_IP="127.0.0.1"
#ARGUS_BIND_IP="192.168.0.68"


# By default, Argus will open the first appropriate interface on a
# system that it encounters.  For systems that have only one network
# interface, this is a reasonable thing to do.  But, when there are
# more than one suitable interface, you should specify the
# interface(s) Argus should use either on the command line or in this
# file.
#
# Argus can track packets from any or all interfaces, concurrently.
# The interfaces can be tracked as:
#   1.  independant - this is where argus tracks flows from each
#          interface independant from the packets seen on any other
#          interface.  This is useful for hosts/routers that
#          have full-duplex interfaces, and you want to distinguish
#          flows based on their interface. There is an option to specify
#          a distinct srcid to each independant modeler.
#
#   2.  duplex - where argus tracks packets from 2 interfaces
#          as if they were two half duplex streams of the same link.
#          Because there is a single modeler tracking the 2
#          interfaces, there is a single srcid that can be passed as
#          an option.
#
#   3.  bonded - where argus tracks packets from multiple interfaces
#          as if they were from the same stream.  Because there is a
#          single modeler tracking the 2 interfaces, there is a single
#          srcid that can be passed as an option.
#
#  Interfaces can be specified as groups using '[',']' notation, to build
#  flexible definitions of packet sources.  However, each interface
#  should be referenced only once (this is due to performance and OS
#  limitations, so if your OS has no problem with this, go ahead).
#
#  The lo (loopback) interface will be included only if it is specifically
#  indicated in the option.
#
#  The syntax for specifying this either on the command line or in this file:
#     -i ind:all
#     -i dup:en0,en1/srcid
#     -i bond:en0,en1/srcid
#     -i dup:[bond:en0,en1],en2/srcid
#     -i en0/srcid -i en1/srcid            (equivalent '-i ind:en0/srcid,en1/srcid')
#     -i en0 en1                           (equivalent '-i bond:en0,en1')
#     -i en1(dlt)/srcid -i en1(dlt)/srcid
#
#  In all cases, if there is a "-e srcid" provided, the srcid provided is used
#  as the default.  If a srcid is specified using this option, it overrides
#  the default.
#
#  Srcid's are specified using the notion used for ARGUS_MONITOR_ID, as above.
#
# Commandline equivalent   -i
#

#ARGUS_INTERFACE=any
#ARGUS_INTERFACE=ind:all
#ARGUS_INTERFACE=ind:en0/192.168.0.68,en2/192.168.2.1
#ARGUS_INTERFACE=ind:en0/"en0",en2/19234
#ARGUS_INTERFACE=en0


# By default, Argus will put its interface in promiscuous mode
# in order to monitor all the traffic that can be collected.
# This can put an undo load on systems. 
 
# If the intent is to monitor only the network activity of
# the specific system, say to measure the performance of
# an HTTP service or DNS service, you'll want to turn 
# promiscuous mode off.
#
# The default value is go into prmiscuous mode.
#
# Commandline equivalent   -p
#
 
#ARGUS_GO_PROMISCUOUS=yes


# Argus supports chroot(2) in order to control the file system that
# argus exists in and can access.  Generally used when argus is running
# with privileges, this limits the negative impacts that argus could
# inflict on its host machine. 
#
# This option will cause the output file names to be relative to this
# directory, and so consider this when trying to find your output files.
#
# Commandline equivalent   -c
#

#ARGUS_CHROOT_DIR=/chroot_dir


# Argus can be configured to enable detailed control plane
# flow monitoring for specific control plane protocols.
#
# This feature requires full packet capture for the monitored
# interface in order to capture the complete control plane
# protocol, and will have a performance impact on the sensor.
#
# The default is to not turn this feature on.
#
# Commandline equivalent   -C
#
 
#ARGUS_CAPTURE_FULL_CONTROL_DATA=no


# Argus can be directed to change its user id using the setuid() system
# call.  This is can used when argus is started as root, in order to
# access privileged resources, but then after the resources are opened,
# this directive will cause argus to change its user id value to
# a 'lesser' capable account.  Recommended when argus is running as
# daemon.
#
# Commandline equivalent   -u
#

#ARGUS_SETUSER_ID=user


# Argus can be directed to change its group id using the setgid() system
# call.  This is can used when argus is started as root, in order to
# access privileged resources, but then after the resources are opened,
# this directive can be used to change argu's group id value to
# a 'lesser' capable account.  Recommended when argus is running as
# daemon.
#
# Commandline equivalent   -g
#

#ARGUS_SETGROUP_ID=group
 

# Argus can write its output to one or a number of files.
# The default limit is 5 concurrent files, each with their
# own independant filters.
#
# The format is:
#      ARGUS_OUTPUT_FILE=/full/path/file/name
#      ARGUS_OUTPUT_FILE="/full/path/file/name filter"
#
# Most sites will have argus write to a file, for reliablity.
# The example file name is used here as supporting programs,
# such as ./support/Archive/argusarchive are configured to use
# this file (with any chroot'd directory prepended).
#
# Commandline equivalent   -w
#

ARGUS_OUTPUT_FILE=/var/log/argus/argus.out


# Argus can push its output to one or a number of remote hosts.
# The default limit is 5 concurrent output streams, each with their
# own independant filters.
#
# The format is:
#      ARGUS_OUTPUT_STREAM="URI [filter]"
#      ARGUS_OUTPUT_STREAN="argus-udp://multicastGroup:port
#      ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'"
#
# Most sites will have argus listen() for remote sites to request argus data, 
# using a "pull" data model.  But for some sites and applications, pushing
# records without explicit registration is desired.  This option will cause
# argus to transmit records that match the optional filter, to the configured
# targets using UDP as the transport mechanism.
# 
# The primary purpose for this feature is to multicast argus records to
# a number of listeners on an interface, but it is not limited to this
# purpose. The multicast TTL is set to 128 by default, so that you can
# send records some distance. 
#
# Commandline equivalent   -w argus-udp://host:port
#

#ARGUS_OUTPUT_STREAM=argus-udp://224.0.20.21:561


# When Argus is configured to run as a daemon, with the -d
# option, Argus can store its pid in a file, to aid in
# managing the running daemon.  However, creating a system
# pid file requires priviledges that may not be appropriate
# for all cases.
#
# When configured to generate a pid file, if Argus cannot
# create the pid file, it will fail to run.  This variable
# is available to override the default, in case this gets
# in your way.
#
# The default value is to generate a pid.  The default
# path for the pid file, is '/var/run'.
#
# No Commandline equivalent   
#

#ARGUS_SET_PID=yes
#ARGUS_PID_PATH="/var/run"


# Argus will periodically report on a flow's activity every
# ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is
# new activity on the flow.  This is so that you can get a
# multiple status reports into the activity of a flow.  The
# default is 5 seconds, but this number may be too low or
# too high depending on your uses.  Argus does suppport
# a minimum value of 0.000001 seconds.  Values under 1 sec
# are very useful for doing measurements in a controlled
# experimental environment where the number of flows is small.
# 
# Because the status interval affects the memory utilization
# of the monitor, find the minimum acceptable value is 
# recommended.
#
# Commandline equivalent   -S
#

ARGUS_FLOW_STATUS_INTERVAL=5


# Argus will periodically report on a its own health, providing
# interface status, total packet and bytes counts, packet drop
# rates, and flow oriented statistics.
#
# These records can be used as "keep alives" for periods when
# there is no network traffic to be monitored.
#
# The default value is 300 seconds, but a value of 60 seconds is
# very common.
#
# Commandline equivalent   -M
#

ARGUS_MAR_STATUS_INTERVAL=60


# Argus has a number of flow state timers that specify how long argus 
# will 'remember' the caches of specific flows after they have gone
# idle.  
# 
# The default values have been chosen to aggresively timeout flow
# caches to conserve memory utilization.  Increasing values can have
# an impact on argus memory use, so take care when modifying values.
# 
# The maxium value for any timeout is 65534 seconds.
# 
# If you think there is a flow type that doesn't have appropriate
# timeout support, send email to the developer's list, we'll add one
# for you.
# 
 
#ARGUS_IP_TIMEOUT=30 
#ARGUS_TCP_TIMEOUT=60
#ARGUS_ICMP_TIMEOUT=5
#ARGUS_IGMP_TIMEOUT=30
#ARGUS_FRAG_TIMEOUT=5
#ARGUS_ARP_TIMEOUT=5 
#ARGUS_OTHER_TIMEOUT=30


# If compiled to support this option, Argus is capable of
# generating a lot of debug information.
#
# The default value is zero (0).
#
# Commandline equivalent   -D
#

#ARGUS_DEBUG_LEVEL=0


# Argus can be configured to report on flows in a manner than
# provides the best information for calculating application
# reponse times and network round trip times.
#
# The default value is to not generate this data.
#
# Commandline equivalent   -R
#
 
#ARGUS_GENERATE_RESPONSE_TIME_DATA=no


# Argus can be configured to generate packet size information
# on a per flow basis, which provides the max and min packet
# size seen .  The default value is to not generate this data.
# 
# Commandline equivalent   -Z
# 
 
#ARGUS_GENERATE_PACKET_SIZE=yes 


# Argus can be configured to generate packet jitter information
# on a per flow basis.  The default value is to not generate
# this data.
#
# Commandline equivalent   -J
#
 
#ARGUS_GENERATE_JITTER_DATA=no 


# Argus can be configured to provide MAC addresses in
# it audit data. The default value is to not generate
# this data.
#
# Commandline equivalent   -m
#
 
#ARGUS_GENERATE_MAC_DATA=yes


# Argus can be configured to generate metrics that include
# the application byte counts as well as the packet count
# and byte counters.
#
# Commandline equivalent   -A
#

#ARGUS_GENERATE_APPBYTE_METRIC=yes


# Argus by default, generates extended metrics for TCP
# that include the connection setup time, window sizes,
# base sequence numbers, and retransmission counters.
# You can suppress this detailed information using this
# variable.
# 
# No commandline equivalent
# 

#ARGUS_GENERATE_TCP_PERF_METRIC=yes


# Argus by default, generates a single pair of timestamps,
# for the first and last packet seen on a given flow, during
# the obseration period.  For bi-directional flows, this
# results in loss of some information.  By setting this
# variable to 'yes', argus will store start and ending
# timestamps for both directions of the flow.
#
# No commandline equivalent
#

#ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=yes


# Argus can be configured to capture a number of user data
# bytes from the packet stream.
#
# The default value is to not generate this data.
#
# Commandline equivalent   -U
#
 
#ARGUS_CAPTURE_DATA_LEN=32


# Argus uses the packet filter capabilities of libpcap.  If
# there is a need to not use the libpcap filter optimizer,
# you can turn it off here.  The default is to leave it on.
#
# Commandline equivalent   -O
#

#ARGUS_FILTER_OPTIMIZER=yes


# You can provide a filter expression here, if you like.
# It should be limited to 2K in length.  The default is to
# not filter.
#
# The commandline filter will override this filter expression.
#

#ARGUS_FILTER=""



# Argus allows you to capture packets in tcpdump() format if the source
# of the packets is a tcpdump() formatted file or live packet source.
#
# Specify the path to the packet capture file here.
#
# Argus can be further configured to either capture all packets (default) that 
# it receives, or to capture only the packets that cause internal errors,
# such as those that can't be classified into an appropritate flow model.
# 
# Specify the path to the packet capture file here.
#

#ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out"
#ARGUS_PACKET_CAPTURE_ON_ERROR="no"


# Argus supports the use of SASL to provide strong 
# authentication and confidentiality protection.
#
# The policy that argus uses is controlled through
# the use of a minimum and maximum allowable protection
# strength.  Set these variable to control this policy.
#

#ARGUS_MIN_SSF=40
#ARGUS_MAX_SSF=128


# Argus supports setting environment variables to enable
# functions required by the kernel or shared libraries.
# This feature is intended to support libraries such as
# the net pf_ring support for libpcap as supported by
# code at http://public.lanl.gov/cpw/
#
# Setting environment variables in this way does not affect
# internal argus variable in any way. As a result, you
# can't set ARGUS_PATH using this feature.
#
# Care should must be taken to assure that the value given
# the variable conform's to your systems putenv.3 system call.
# You can have as many of these directives as you like.
# 
# The example below is intended to set a libpcap ring buffer
# length to 300MB, if your system supports this feature.
#

#ARGUS_ENV="PCAP_MEMORY=300000"


# Argus can be configured to discover tunneling protocols
# above the UDP transport header, specifically Teredo
# (IPv6 over UDP).  The algorithm is simple and so, having
# this on by default may generate false tunnel matching.

# The default is to not turn this feature on.

#ARGUS_TUNNEL_DISCOVERY="no"



# Argus can be configured to identify and track duplicate
# packets as a separate metric.  While the algorithms are
# traffic type specific, you can use this strategy to
# identify problems within your packet collection infrastructure.

# The default is to not turn this feature on.

#ARGUS_TRACK_DUPLICATES="no"



# Argus can be configured to be self synchronizing with other
# argi.  This involves using state from packets contents to
# synchronize the flow reporting.
#

#ARGUS_SELF_SYNCHRONIZE=yes



# Argus supports the generation of host originated processes
# to gather additional data and statistics.  These include
# periodic processes to poll for SNMP data, as an example, or
# to collect host statistics through reading procfs().  Or
# single run programs that run at a specified time.
# 
# These argus events, are generated from the complete list of
# ARGUS_EVENT_DATA directives that are specified here.
# 
# The syntax is:
#      Syntax is: "method:path|prog:interval[:postproc]"
#          Where:  method = [ "file" | "prog" ]
#                pathname | program = "%s"
#                interval = %d[smhd] [ zero means run once ]
#                postproc = [ "compress" | "compress2" ]
# 
#ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-vms:20s:compress"
#ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-snmp:1m:compress"
#ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress"
#ARGUS_EVENT_DATA="prog:/usr/bin/uptime:30s"
#ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-lsof:30s:compress"


# This version of Argus supports keystroke detection and counting for
# TCP connections, with specific algoritmic support for SSH connections.
#
# The ARGUS_KEYSTROKE variable turns the feature on. Values for
# this variable are:
# 	ARGUS_KEYSTROKE="yes" - turn on TCP flow tracking
# 	ARGUS_KEYSTROKE="tcp" - turn on TCP flow tracking
# 	ARGUS_KEYSTROKE="ssh" - turn on SSH specific flow tracking
# 	ARGUS_KEYSTROKE="no"	[default]
#
# The algorithm uses a number of variables, all of which can be
# modifed using the ARGUS_KEYSTROKE_CONF descriptor, which is a
# semicolon (';') separated set of variable assignments.  Here is
# the list of supported variables:
#
#   DC_MIN  -   (int) Minimum client datagram payload size in bytes (48)
#   DC_MAX  -   (int) Maximum client datagram payload size in bytes (128)
#   GS_MAX  -   (int) Maximum server packet gap (3)
#   DS_MIN  -   (int) Minimum server datagram payload size in bytes (24)
#   DS_MAX  -   (int) Maximum server datagram payload size in bytes (256)
#   IC_MIN  -   (int) Minimum client interpacket arrival time (50000 microseconds)
#   LCS_MAX -   (int) Maximum something - Not sure what this is
#   GPC_MAX -   (int) Maximum client packet gap (3)
#   ICR_MIN - (float) Minimum client/server interpacket arrival ratio (0.816)
#   ICR_MAX - (float) Maximum client/server interpacket arrival ratio (1.122)
#
# All variables have default values, this variable is used to override
# those values.  The syntax for the variable is:
#
#      ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20"
#

#ARGUS_KEYSTROKE="no"
#ARGUS_KEYSTROKE_CONF="GPC_MAX=4"