rafilteraddr
Carter Bullard
carter at qosient.com
Thu Oct 4 13:43:59 EDT 2007
Hey CS Lee,
You have found an important program when you want to filter an argus
data stream against more than, say, 100 IP addresses, or ranges at a
time.
The compiler we have in the general ra* programs is not an efficient
filter, although its not terrible. Problem is it doesn't really
scale well
with lots of objects. With each record we have to linearly process each
record against the same filter rule set. Good for somethings, not good
for searching a list of say 1500 IP addresses.
Once the filter has over 100 elements, it does start to bog down, so
I implemented an alternate filtering scheme for addresses that builds
a patricia tree, and we use it as an address filter.
It has a lot of features, but primarily, you give it a file with a
bunch of addresses,
the format is:
address[[/xx]-address[/xx]]\n
So you have a file with something like this (call it address.file):
192.168.12.3
192.168.11.0/24-192.168.57.13
192.168.57.54
192.168.128.3
and the you run rafilteraddr:
rafilteraddr -f address.file -r file
and you should get the records that match. I'll add the ability to
have a more general format, with commas, etc... before the release
and add a man page.
Carter
On Oct 4, 2007, at 12:39 PM, CS Lee wrote:
> Hi all,
>
> Argus 3 is near so I start to have a look again while having no
> chance to use it on production network yet. Anyway just report that
> it compiles fine on Ubuntu 7.04.
>
> I have noticed there's a tool called rafilteraddr added, so what's
> the use of it as we can use the filter expression to filter address
> so I would like to know the exact purpose of it added to the argus
> client suite.
>
> I will definitely test out the country code printing, one of neat
> feature that i would like to see though.
>
> Thanks.
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
>
> http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071004/c034d77a/attachment.html>
More information about the argus
mailing list