Argos

Documentation

Quick start

You can follow the instructions bellow to quickly launch an already setup Windows 2000 image. It is assumed that the guest OS is using a network address in 172.20.0.0/24.

• Copy file argos-ifup to /etc
• Use the following script to launch your OS image win2k.img.
  #!/bin/sh
  
  iface=`sudo tunctl -b -u $USER`
  argos -localtime -hda win2k.img -m 512 -win2k -net nic \
  -net tap,ifname=$iface -snapshot
  sudo tunctl -d $iface
  
• To avoid getting continuous requests for your password, run visudo and add the following line:
  username ALL=(ALL) NOPASSWD: /usr/bin/tunctl
  Replace username with your username, and make sure tunctl is in the same location as shown above

Scientific Papers

• Argos: an Emulator for Fingerprinting Zero-Day Attacks [bibtex]
• Eudaemon: Involuntary and On-Demand Emulation Against Zero-Day Exploits [bixtex]
• SweetBait: Zero-Hour Worm Detection and Containment Using Low- and High-Interaction Honeypots [bibtex]
• The Age of Data: pinpointing guilty bytes in polymorphic buffer overflows on heap or stack (Prospector) [bibtex]

Guides, howtos, and FAQs

• Argos user guide
• How to from the Nepenthes project
• How to install a guest operating system to use with Argos
• How to configure the network for an Argos based honeypot
• How to interpret the logs generated by Argos
• Frequently asked questions (F.A.Q.)
• Argos control socket protocol
• How to use the snitch script for additional forensics

Related projects

• Integrating Argos with SURFids
• Argos setup as part of the NoAH architecture

If you have a link or document that also writes about Argos please email one of the authors, or the developers mailing list.

Quick Links

• Downloads
• Mailing list
• VU Amsterdam
• Student Projects