rafilteraddr
CS Lee
geek00l at gmail.com
Thu Oct 4 13:51:28 EDT 2007
Hi Carter,
Thanks for the explanation, I will try it out for sure.
Another nifty tool that worth look at, you are right that it slows down
tremendously when we need to filter big range of IP.
On 10/5/07, Carter Bullard <carter at qosient.com> wrote:
>
> Hey CS Lee,You have found an important program when you want to filter an
> argus
> data stream against more than, say, 100 IP addresses, or ranges at a time.
>
> The compiler we have in the general ra* programs is not an efficient
> filter, although its not terrible. Problem is it doesn't really scale
> well
> with lots of objects. With each record we have to linearly process each
> record against the same filter rule set. Good for somethings, not good
> for searching a list of say 1500 IP addresses.
>
> Once the filter has over 100 elements, it does start to bog down, so
> I implemented an alternate filtering scheme for addresses that builds
> a patricia tree, and we use it as an address filter.
>
> It has a lot of features, but primarily, you give it a file with a bunch
> of addresses,
> the format is:
>
> address[[/xx]-address[/xx]]\n
>
> So you have a file with something like this (call it address.file):
> 192.168.12.3
> 192.168.11.0/24-192.168.57.13
> 192.168.57.54
> 192.168.128.3
>
> and the you run rafilteraddr:
>
> rafilteraddr -f address.file -r file
>
> and you should get the records that match. I'll add the ability to
> have a more general format, with commas, etc... before the release
> and add a man page.
>
> Carter
>
>
>
> On Oct 4, 2007, at 12:39 PM, CS Lee wrote:
>
> Hi all,
>
> Argus 3 is near so I start to have a look again while having no chance to
> use it on production network yet. Anyway just report that it compiles fine
> on Ubuntu 7.04.
>
> I have noticed there's a tool called rafilteraddr added, so what's the use
> of it as we can use the filter expression to filter address so I would like
> to know the exact purpose of it added to the argus client suite.
>
> I will definitely test out the country code printing, one of neat feature
> that i would like to see though.
>
> Thanks.
>
> --
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
>
> http://geek00l.blogspot.com
>
>
>
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071005/b3bbad5b/attachment.html>
More information about the argus
mailing list