Carter Bullard <carter <at> qosient.com>
2006-09-08 14:11:04 GMT
The changes between 2.x and 3.0 are rather extensive, and of
course the 3.0 branch has a few bugs still, so a description of the
actual changes that impact directionality is probably a bit premature.
I can say, however, what we're trying to achieve. Argus, from v
has tried very hard to determine the originator of a flow, so that for
protocols such as UDP/TCP, the destination port number would represent
the actual service port number of the flow. This has worked well, in
symmetric and asymmetric routing networks, but it can be fooled by
stealthy scan methods (TCP syn_ack and some rare RST
scans can be reported to be going in the opposite direction).
Before 3.0, Argus would try to do the directionality, but in 3.0, we're
shifting that responsibility to the clients. The goal is to make Argus
less complex and accurate for what it observes (rather than what
it think it observes), which should enable the client the flexibility to
"correct" the direction if the user wants that functionality (that will
be the default). The concept is that argus will tell you what was on
the wire, with enough additional information so that the clients can
figure out what it really means, if anything.
In our testing, we're close, and I'm working on fixing a bug that Peter
noticed. Once we're done, Argus 3.0 should be considered more
accurate than Argus 2.x.
If you'd like more detail on how the directionality is reported, send
email and I'll try to fill in the gaps.