
/*
 * Copyright (c) 1997 Carter Bullard
 * All applicable rights reserved.
 *
 * Permission to use, copy, modify, and distribute this software and
 * its documentation is restricted to personal use only.  Use, sale
 * or retransmission of this software for commercial purposes, 
 * including but not limited to use as a commerical product or
 * in support of a commercial endeavor requires licensing from Carter
 * Bullard.
 *
 * CARTER BULLARD DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
 * SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
 * FITNESS, IN NO EVENT SHALL CARTER BULLARD BE LIABLE FOR ANY
 * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
 * CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 *
 */

/*
 * Copyright (c) 1993, 1994, 1995 Carnegie Mellon University.
 * All rights reserved.
 *
 * Permission to use, copy, modify, and distribute this software and
 * its documentation for any purpose and without fee is hereby granted, 
 * provided that the above copyright notice appear in all copies and
 * that both that copyright notice and this permission notice appear
 * in supporting documentation, and that the name of CMU not be
 * used in advertising or publicity pertaining to distribution of the
 * software without specific, written prior permission.  
 * 
 * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING
 * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL
 * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR
 * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
 * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
 * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
 * SOFTWARE.
 *
 */

Argus 1.7 BETA
argus@sei.cmu.edu
ftp:/ftp.sei.cmu.edu/pub/argus


Thank you for your interest in Argus, Audit Record Generation and
Utilization System.

Argus is a generic IP network transaction auditing tool that has
has been used by thousands of sites to perform a number of powerful
network management tasks that are currently not possible using commercial
network management tools.

Argus runs as an application level daemon, promiscuously reading network
datagrams from a specified interface, and generates network traffic audit
records for the network activity that it encounters.  It is the way that
Argus categorizes and reports on network activity that makes this tool
unique and powerful.  Please refer to the README.1.5 file for a complete
description of Argus's basic theory of operation.

Argus 1.7 should be considered a bug fix and a portability release of
Argus 1.5, with enhancements.  The Argus 1.7 server has been ported to
SunOS and Solaris, Ultrix, IRIX, AIX, and Linux, and the sample client
code has been successfully used under most variants of Unix.

Problems, bugs, questions, desirable enhancements, source code
contributions, etc., should be sent to the email address
"argus@sei.cmu.edu".

We continue to find that comprehensive network transaction auditing can
be an extremely powerful network management tool, and I think that a
large number of sites can benefit from the prototype work that has
done in this area.

Again, thank you for your interest in Argus.  We hope that you find
version 1.7 useful.


Carter Bullard
chellyaz@aol.com


CREDITS

None of this would be possible if it weren't for the dedicated work of
Mark Poepping of Carengie Mellon University, and Chas Difatta of Intuit.

Tony Pryzgienda of FORE Systems did the current port of Argus to Linux,
which works great, and of course we must mention the guys at the
Pittsburgh Super Computing Center who came in third in the "I found
another bug in the server" contest.


Overview

The basic design and theory of operation for Argus 1.7 is the same
as Argus 1.5.  For a detailed description of this, please refer to
Argus 1.5 documentation.  This overview will deal with differences
between the implemenations.

In this package we have provided the same functionality as Argus 1.5, which
included the network transaction auditing engine, Argus, and a few basic
tools for reading and analyzing the data.  Please read the man pages for
argus(8), ra(1) and services(1) for detailed description of how to use
these specific programs.

Argus 1.7 extends the general IP flow abstraction that was used in Argus 1.5
by increasing the amount of information held in each Argus record, and
by extending the flow abstraction to more traffic types.  Because of these
basic enhancements, Argus 1.7 audit records cannot be read by Argus 1.5
tools, however all Argus 1.7 tools are backward compatible.

Argus 1.7 is based on a bidirectional network flow model which categorizes
IP traffic into one of 3 fundamental network flow abstractions, rather than
the 4 supported in version 1.5.

   1. connection oriented (e.g. tcp)
   2. connection-less
         request/response (e.g. udp/dns)
         persistent       (e.g. MBONE multicast traffic, ICMP echo)


Argus reports on an abstract state machine that is imposed on the
3 flow types that are detected and tracked.  The state machine includes:

   1. Initiating state
   2. Responding state
   3. Connection state
   4. Closing state

In the IP implementation, all network datagrams are categorized by
source and destination MAC addresses, source and destination IP
addresses, the IP options that may exist, the upper layer protocol as
indicated in the IP header proto field, and in the case of UDP or TCP,
by the datagram's source and destination port numbers.  In the case
of fragments and ICMP datagrams, where appropriate, the contents of
the datagram are used to categorize the packet into its parent flow.

With this generalized strategy, virtually all IP packets encountered on
a network connection can be accounted for in the collective Argus records
for the observation period.


Argus Status Records

There is one union structure for the fixed length Argus status reports
that are generated for the 3 different types of transactions.  Each
status report contains transaction start and stop time information, 
the MAC and IP src and dst addresses, the IP options that were seen,
the upper layer protocol used, the transaction src and dst byte and
packet counts and upper layer protocol specific information.  The
protocol specific information and the criteria for when the status
reports are created, is different for each of the three transaction
types.

Argus 1.7 overloads some fields in the Argus 1.5 audit record to
increase the amount of information that an argus record contains.
In particular, Argus 1.7 provides source and destination TTL values
for its flows, and TCP base sequence numbers in the Initiating and
Responding Argus records for the TCP connection.  These subtile
changes provide very important information that enhances Argus's
intrusion detection capabilities.

Argus 1.7 also provides status records for unassembled IP fragments.
This support was also added to aid in intrusion detection, as
IP fragments are a likely transport vehicle for covert channels in
IP routed networks.  This feature of Argus is extremely powerful
for detecting these covert channels when they are used in an
enterprise.

The Argus TCP state machine has been updated to fix some significant
bugs in Argus 1.5's TCP byte count logic.  These bug fixes enhanced
Argus's ability to detect packet retransmission during a TCP
connection's lifetime.


Argus is designed to function in a high packet load environment, and
recovers cleanly in situations where there is packet loss.  The packet
counts and byte counts reflect only what Argus actually realizes.
When you begin to analyze Argus data, either using the simple tools that
are in the package, or when you write your own Argus data analysis tools,
these conditions should become clear.


Network Security

Comprehensive network transaction auditing can make a major impact on
a sites network security.  As we have had a great deal of success in
using Argus to improve the network security at the Software Engineering
Institute and CERT Coordination Center, we would like to continue
to emphasize this advantage of the use of Argus.

Accountability has always been recognized as a critical element in system
security modeling.  One of the principal deficiencies in the functional
structure of current Internet technology is its inherent lack of
accountability.  Experience in Internet computer incident handling
clearly indicates that current Internet technology does not adequately
support the detection and/or analysis of computer security related events.

One of the fundamental problems with the current "state of the art"
in computer security, is the reliance on host based accounting systems.
When a host is compromised during a security incident, there is a
high probability that the hosts accounting system will be modified
in order to "cover up" the unauthorized accesses.  As a result of the
compromise, the host based accounting system is completely unreliable.
This lack of accounting reliability makes host based intrusion detection
a very difficult, if not impossible task.  In addition, most host
accounting systems are not capable of detecting and accounting for all
the network events that may be important to the security of the host, as
many of the meaningful events can not be anticipated.

Our experience has been that independent comprehensive network
transaction auditing provides a powerful addition to network based
access control that compensates for many of the inadequacies seen in host
based accounting.  Argus has become a critical element in the network
security mechanisms of CMU's Software Engineering Institute and its CERT
Coordination Center.

One of the key roles that Argus plays is in the verification of our
router-based firewall control mechanisms.  By comparing the Argus
transaction status records for our internal networks against the
actual router access control lists, we can have 100% assurance that
the router is implementing the control policies correctly.  This
independent scheme has been used to detect bugs in router vendor security
mechanisms.  Of course if the access control lists are poorly defined,
then problems will get past even this mechanism.  But, by analyzing
our internal network Argus data for violations of the intent of the
access control policies, we establish 100% assurance that our access
control policies are actually being enforced.

Network scanning, such as that done by SATAN and ISS, generates
characteristic network "signatures" which are preserved in the
comprehensive network transaction logs generated by Argus, so that
simple Argus data analysis tools could be written to discover the
the use of SATAN.  We highly recommend the development of these types
of Argus data analysis tools.

We have included in our ./examples directory a sample ra(1) filter that
acts to detect intrusion attacks of the type described in the CERT
advisory CA-95:01 "IP spoofing attacks and hijacked terminal connections".
This is a reliable, although not warrantable, method for detecting these
types of attacks and we offer it as an example of how Argus data can be
used in intrusion detection.  We also highly recommend the development
of these types of Argus data analysis tools.


Individual Privacy

Network transaction auditing may be perceived as having an impact on
individual privacy.  This is a real issue and should not be trivialized.

The protection of an individual's right to privacy was a critical design
feature of Argus, and dictated that Argus not scan datagrams beyond the
Transport Layer Header data.  The need to gather information from the
network for the purposes of network management must be balanced with the
requirement to preserve an individual's right to privacy.  We do not
recommend that implementors extend this type of network management
analysis beyond the Transport Layer, without considering the impact on
the individual's right to privacy.


Implementation Platforms

Argus has been ported and tested under SunOS 4.x, Solaris 2.x, SGI IRIX5.x,
DEC Ultrix, and Linux.

The issue of portability has been principally addressed by the use of
libpcap-0.x.x.  Argus, itself, has been written assuming a BSD environment,
and is designed around the select() and socket() facilities.  Porting
to environments that do not supply these features, may be problematic.
We suspect that you may run into some problems when porting -- please
send us the patches if you fix any porting problems.  We will be very
grateful.
 
