Contatto di riferimento: Francesco Giacomini
Partecipanti: Carter Bullard (QoSient)
Abstract:
Argus is an open source layer 2+ auditing tool (including IP audit) and has been under development for over 25 years. Argus can be used to help support network security management and network forensics and can easily be adapted to be a network activity monitoring system, easily answering a variety of activity questions, such as bandwidth utilization. It can also be used to track network performance through the stack, and capture higher level protocol data. With additional mining techniques, such as utilizing moving averages, Argus data can be used for "spike tracking" of many fields.
With the correct strategies, Argus data can be mined to determine if you've been attacked or compromised historically, after an attack has been announced and indicators-of-compromise (IOCs) have been established. Historical netflow data can be used in forensic investigations several months, or years, after an incident has taken place. Argus netflow records offer up to a 10,000:1 ratio from the packet size to the record written to disk, which allows installations to save records for much longer than full packet captures.
When network security is very important, non-repudiation becomes a very important requirement that must be provided throughout the network. Argus provides the basic data needed to establish a centralized network activity audit system. If done properly, this system can account for all network activity in and out of an enclave, which can provide the basic system needed to assure that someone can't deny having done something in the network.