Argus-info Digest, Vol 44, Issue 21

CS Lee geek00l at gmail.com
Wed Apr 15 12:17:55 EDT 2009


hi Mark,

It's not wise to make use of team cymru iptoasn service that way, and better
to have local database, even team cymru is not encouraging the use of the
service heavily like that. Plus we can't beat the speed of having local db,
and just keep updating the local db.

Geolite city is alright, you can't beat the price of being free. ASN mapping
is something i'm really looking forward if we can have it in argus.

Cheers ;]

On Thu, Apr 16, 2009 at 12:00 AM,
<argus-info-request at lists.andrew.cmu.edu>wrote:

> Send Argus-info mailing list submissions to
>        argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
>        argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
>        argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
>   1. Re:  argus client regex matching (Carter Bullard)
>   2. Re:  Maxmind based Geo-location and ra* programs (Carter Bullard)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 15 Apr 2009 11:34:24 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] argus client regex matching
> To: CS Lee <geek00l at gmail.com>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <69BC9DC6-741C-40B6-899B-230500EB071E at qosient.com>
> Content-Type: text/plain; charset="us-ascii"
>
> So looking at tools like ngrep(), its pretty clear that most bypass the
> regex() library when matching binary patterns in binary buffers.
> ngrep() has the "-X" option to declare that the matching string is
> a hex number.
>
> Not sure why this is broken, but regex() may not be the correct library
> to use here?  Does anyone have any understanding as to why regex()
> is the wrong way to go, when trying to match in binary buffers?
>
> Carter
>
>
> On Apr 15, 2009, at 11:18 AM, Carter Bullard wrote:
>
> > Hey CS Lee,
> > Hmmmmm, well I can't get grep() to match a binary file using the type
> > of pattern you are using either, for that matter, I can't get
> > egrep() to
> > match a binary file using '-e "\x2C"', but I can get it to match using
> > '-e ","' (match a ",").  \x2C is the  hexidecimal for comma.
> >
> > This is on my Mac OS X (leopard).
> >
> > So, I'm not sure what I'm suppose to think about that.  What do you
> > think?
> >
> > Carter
> >
> > On Apr 15, 2009, at 12:41 AM, CS Lee wrote:
> >
> >> hi carter,
> >>
> >> I have reported this previously too, about the regex matching to
> >> grep the flow based on the user data bytes.
> >>
> >> it seems that if i want to search the flow based on hex codes -
> >>
> >> ra -nr argus.out -e "\x4d\x5a" doesn't seem to work, this is latest
> >> argus client.
> >>
> >> I'm testing out the patch now
> >>
> >>
> >> Cheers!
> >>
> >> --
> >> Best Regards,
> >>
> >> CS Lee<geek00L[at]gmail.com>
> >>
> >> http://geek00l.blogspot.com
> >> http://defcraft.net
> >
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York  10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20090415/492281e6/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 15 Apr 2009 11:37:58 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] Maxmind based Geo-location and ra* programs
> To: Mark Bartlett <mabartle at gmail.com>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <9E5D3E72-A971-4448-9529-0AFC7812C955 at qosient.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> Hey Mark,
> Yes, but I couldn't figure out how to get their databases simply,
> without running
> a complete mirror of their system, and when you're mapping 200K
> addresses
> per second (100K records per second) doesn't seem like we'll keep up
> if I have
> to query whois.cymru.org ;o)
>
> The GeoIP stuff was pretty straightforward to use, and the argus-
> client code
> is now compatible with the pay-as-you-go databases from MaxMind, so it
> seemed like a win.
>
> Do you think the Cymru strategy is worth a look?  Have you implemented a
> local database?
>
> Carter
>
> On Apr 15, 2009, at 9:13 AM, Mark Bartlett wrote:
>
> > Hey Carter,
> >
> > Have you checked out   Team Cymru,
> > (http://www.team-cymru.org/Services/ip-to-asn.html)  they have been
> > doing some of this stuff also... Pretty cool stuff....
> >
> > mab
> >
> > On Tue, Apr 14, 2009 at 7:56 PM, Carter Bullard <carter at qosient.com>
> > wrote:
> >> Gentle people,
> >> All ra* programs support printing country codes, but there is much
> >> more to
> >> geo-location.
> >> I am integrating the use of the MaxMind's LGPL based GeoIP library
> >> into
> >> argus
> >> client's Geo location technology.  I need to get Origin AS numbers
> >> into the
> >> argus
> >> records for my work, and so this seemed to be a way to go.
> >> Currently, ralabel() and radium() can use MaxMind's GeoIPASNum.dat
> >> file
> >> to provide Origin AS numbers for IP addresses, and later this week
> >> I should
> >> get the City, State, Country, Zip Codes, along with lat/long data
> >> integrated.
> >> The Origin AS number support looks pretty good:
> >>       StartTime  Proto       SrcAddr  Dir          DstAddr
> >> Dport SPkts
> >>  DPkts SBytes DBytes          Label
> >> 19:25:27.014924    esp 207.237.36.98   ->
> >> 134.207.19.130.0x072ed6f2     2
> >>      0    252      0  AS6079:AS5058
> >> For the city data, its not perfect, but its pretty good data for
> >> free ;o).
> >>  Here is what one
> >> of the GeoIP test programs returns as a test:
> >> 24.24.24.24 US NY  New York  Jamaica  11434  40.676300  -73.775200
> >> 501
> >> 718  America/New_York  24.24.16.0
> >> 80.24.24.24 ES 56  Catalonia  Seo De Urgel  N/A  42.349998
> >> 1.466700  0  0
> >> Europe/Madrid  80.24.24.0
> >>
> >> So, good country code, state?, but some of it is interesting, as
> >> they don't
> >> have "Spain"
> >> anywhere in the output, so could be a bit better?  I have to work
> >> on what
> >> the formats of the data
> >> will be in the argus label fields.
> >> You get the support by compiling the Maxmind C-library API code on
> >> your
> >> machine,
> >> then with the client's ./configure you specify where the GeoIP
> >> distribution
> >> is.
> >>    ./configure --with-GeoIP=yes
> >> All the rest is pretty straight forward, but I haven't tested it,
> >> except to
> >> see if it works at all.
> >> Currently the data comes out as labels, so its just ascii text in
> >> the argus
> >> record.  I'll
> >> be working on more specific DSR's for geolocation in the next set
> >> of months,
> >> so any
> >> dialog as to what you guys would like to get out of the
> >> Maxmind.com's GeoIP
> >> library,
> >> that would be very helpful.
> >> Take a look at their links, for additional information:
> >>    http://www.maxmind.com/app/geolitecity
> >> I'll have this support in the next beta release, but if everyone is
> >> happy
> >> with the stability
> >> of the code set, I'll release it as argus-clients-3.0.2 very soon.
> >> Carter
> >>
> >>
> >>
> >>
> >
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York  10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 44, Issue 21
> ******************************************
>



-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090416/419778c5/attachment.html>


More information about the argus mailing list