Some ideas for rafilteraddr

Carter Bullard carter at qosient.com
Wed Nov 14 09:03:46 EST 2007 

Hey Terry,
To get near realtime responsiveness, you need to process near realtime data streams, or dataflow machines, and radium is the tool for building and managing streams of argus data.  The "-d" and "-P" options are really just radium functions, and so you're going right down the same path I'm going down.

I can add the SIGHUP before release, that is real easy.  It will be specific to reading the "-f" file, not the .rarc file.

If it errors parsing the file, it will syslog(), but continue using the previous set of addresses, rather that stop?

I'll make it so all ra* programs act like radium() at some point, daemonozable, [de]multiplexor, reliable connections, strong encrption, etc .... Probably in argus-3.1.

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: "Terry Burton" <tez at terryburton.co.uk>

Date: Tue, 13 Nov 2007 15:58:55 
To:"Carter Bullard" <carter at qosient.com>
Cc:Argus <argus-info at lists.andrew.cmu.edu>
Subject: Some ideas for rafilteraddr


Hi Carter,

Here are some ideas that are not high priority but they may be useful
for other users too...


Background:

On our network we have a policy that each device must be registered
before it is connected to our network. An authips.txt file containing
the authorised ip addresses is created from the registration database.
I am using rafilteraddr to get a real time view of non-compliant
traffic:

rafilteraddr -m saddr -vf .../authips.txt -S localhost:569 -w
.../unreg.log - src net xxx.yyy.0.0/16

Since devices are being registered and deregistered all of the time it
is necessary to update the authips.txt file every five minutes and to
then restart the rafilteraddr process.


Wishlist:

It would be very useful to be able to throw a SIGHUP (or similar) at
the rafilteraddr process with the effect that it reparses the address
filter file (preferably without loss of data, but this is not a
critical requirement).

It would also be a useful to have rafilteraddr run as a daemon with
reliable connection support, bound to a local port so that it can be
simultaneously attached to by argus clients - I'm thinking of multiple
network admins running ratop whilst a rasplit client handles the
logging. With this in mind, I wondering whether it would be easier to
fold the "-f" and "-vf" functionality into rastream rather than have
rafilteraddr as a separate application?

Anyway, all of these are wishes rather than needs since similar
functionality can be obtained through careful scripting and multiple
processes.


All the best,

Tez

More information about the argus mailing list