Implementing Argus (similar to netflow) what kind of information should I be gathering?

Question

I am setting up a trial of Argus at my company as a diagnostic tool. We have a collector box attached to a monitoring port on our switch, and the initial plan is to redirect ports with unusual traffic to the collector and then analyze it to get troubleshooting info.

I need to sell this before I can pitch a more consistent monitoring solution, which I know is the real strength of this type of application.

The initial reports will be all on the command line, so reducing the information presented to a manageable level is key.

My question is this: From both a security and troubleshooting point of view, what information would be most valuable? What reports should I have preconfigured?

I have already thought of:

• Listing of address currently talking on the port (our network map is horrible)
• Protocol distribution,
• current flows for a specific IP address

Maybe one on packet loss or broken connections? (not sure if I can do that last one)

Thanks, I wish I had the background to answer this, but I'm working hard to get there.

Answer 1

As a first step I would recommend looking at the "official" Argus wiki page. It is largely a cookbook page that gives some great examples of the kinds of queries that can be run using the tools suite. Also worth browsing is the argus mailing list. Often interesting uses of the product are shared there.

Additionally, my office has produced a number of scripts that work on the output from the 'ra' command. The ones I use most often produce the top $n src addresses by flow count, or byte count. Some others that produce addresses communicating with known botnet C&Cs.