Some ideas for rafilteraddr

Terry Burton tez at terryburton.co.uk
Tue Nov 13 10:58:55 EST 2007


Hi Carter,

Here are some ideas that are not high priority but they may be useful
for other users too...


Background:

On our network we have a policy that each device must be registered
before it is connected to our network. An authips.txt file containing
the authorised ip addresses is created from the registration database.
I am using rafilteraddr to get a real time view of non-compliant
traffic:

rafilteraddr -m saddr -vf .../authips.txt -S localhost:569 -w
.../unreg.log - src net xxx.yyy.0.0/16

Since devices are being registered and deregistered all of the time it
is necessary to update the authips.txt file every five minutes and to
then restart the rafilteraddr process.


Wishlist:

It would be very useful to be able to throw a SIGHUP (or similar) at
the rafilteraddr process with the effect that it reparses the address
filter file (preferably without loss of data, but this is not a
critical requirement).

It would also be a useful to have rafilteraddr run as a daemon with
reliable connection support, bound to a local port so that it can be
simultaneously attached to by argus clients - I'm thinking of multiple
network admins running ratop whilst a rasplit client handles the
logging. With this in mind, I wondering whether it would be easier to
fold the "-f" and "-vf" functionality into rastream rather than have
rafilteraddr as a separate application?

Anyway, all of these are wishes rather than needs since similar
functionality can be obtained through careful scripting and multiple
processes.


All the best,

Tez



More information about the argus mailing list