Hack 64 Audit Network TrafficUse Argus to monitor your network and to keep an audit trail of your traffic. Wouldn't it be nice if you could keep a complete record of everything that happened on your network? It would certainly help to track down problems and would be invaluable in the event of a security incident, but it would just take up too much space to keep all of that data around. The next best thing would be to keep a log of all the packets, but not actually keep the data. You can do this with Argus (http://www.qosient.com/argus/). Argus, or the Audit Record Generation and Utilization System, is a tool that can log network transactions in a variety of ways and can even collect performance metrics on every connection that it is able to see. Argus also contains several utilities that can make queries against the logs, so you can easily extract the information you need. These tools allow you to generate ASCII-, RMON-, or XML-formatted information from an Argus log file. Argus also provides a Perl interface for accessing its log files, so you can easily write custom scripts to make use of the data it collects. To set up Argus, you'll first need to download the source distribution and unpack it. Then change into the directory that it creates: $ tar xfz argus-2.0.5.tar.gz To compile Argus, run this command: $ ./configure && make After compilation has finished, you can install Argus by becoming root and running this command: # make install To get a quick demo of Argus, run it and then let it collect some data for a little while: # argus -d -e `hostname` -w /tmp/arguslog This command will start argus in daemon mode and have it write its logs to /tmp/argus. After letting it collect some data, try querying it with the ra command. This will show you an ASCII representation of the packets that argus has logged: $ ra -r /tmp/arguslog This is just a few minutes of logs from one host, but it is stored in a very compact manner. In fact, during testing, a whole day's worth of logs consumed only 1.4 MB! The ra command can also take tcpdump-style filters so that you can query the logs for packets that match a specific host, protocol, port, or any number of other characteristics. For instance, if you wanted to query the logs for all packets sent either to or from the host named kryten, you could used a command similar to this one: $ ra -r /tmp/argus - "host kryten" You can also generate a new Argus log file containing only the results of your query by using the -w option to ra and specifying a file to write the results to. To get XML output from Argus, you can use the raxml utility to make queries, much in the same way as you can with ra. For instance, here's the first record returned by using the previous query for all packets that matched the hostname of kryten: $ raxml -r /tmp/arguslog - "host kryten" As you can see, Argus keeps track of much more information than it would seem if you were just going by the output generated by ra. This is where Argus really shines, because it can store such a large amount of information about your network traffic in a small amount of space. In addition, Argus makes it easy to convert this information into other formats, such as XML, which makes it easy to write applications that can understand the data. |
لطفا منتظر باشید ...
