ralabel country code mapping

CS Lee geek00l at gmail.com
Tue Apr 21 07:59:09 EDT 2009 

hi carter,

I have these lines in ralabel.conf

RALABEL_IANA_ADDRESS=yes
RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/delegated-ipv4-latest"

I use RALABEL_IANA_ADDRESS_FILE as I can't find where I can define delegated
file in the ralabel.conf sample config.

It does print out the label when i do that

ralabel -f ralabel.conf -r argus.out -s +sco +dco
   09:21:33.143098  e s       tcp      114.47.198.87.8886     <?>
192.168.1.153.51359        63      25483   CON  TW  ZZ
   09:21:33.143354  e d       tcp     218.175.209.38.20500    <?>
192.168.1.153.51243        18       8290   CON  TW  ZZ
   09:21:33.184301  e         udp      202.76.223.75.21484    <->
192.168.1.153.6881        121      11756   CON  JP  ZZ
   09:21:33.204481  e *       tcp    218.173.107.206.24158    <?>
192.168.1.153.51317        31      14029   CON  TW  ZZ

However if i write it to a file

ralabel -f ralabel.conf -r argus.out -w argus-cc.out

And I try to get ra -s +sco +dco, it doesn't return anything. If I print the
label field instead, it returns -

ra -r argus-cc.out -s +label
   09:21:33.143098  e s       tcp      114.47.198.87.8886     <?>
192.168.1.153.51359        63      25483   CON        saddr=TW:daddr=ZZ
   09:21:33.143354  e d       tcp     218.175.209.38.20500    <?>
192.168.1.153.51243        18       8290   CON        saddr=TW:daddr=ZZ
   09:21:33.184301  e         udp      202.76.223.75.21484    <->
192.168.1.153.6881        121      11756   CON        saddr=JP:daddr=ZZ

But I think sco and dco should be the field to print country code.

Thanks ;]



On Tue, Apr 21, 2009 at 7:22 PM, <carter at qosient.com> wrote:

> All ra* programs add country codes the same, but getting the codes into the
> records for output requires a slightly different set of steps.
>
> There are relabel.conf variables to do this, but it also needs to know
> where the delegated file is. What does your ralabel.conf file look like?
>
> Carter
>
> Sent from my Verizon Wireless BlackBerry
>
> ------------------------------
> *From*: CS Lee
> *Date*: Tue, 21 Apr 2009 16:14:37 +0800
> *To*: Argus<argus-info at lists.andrew.cmu.edu>
> *Subject*: [ARGUS] ralabel country code mapping
> hi carter,
>
> I'm using argus latest beta(3.0.2.beta.5) on mac osx.
>
> I try to use ralabel to add country code to sco and dco field to the flow
>
> ralabel -nr argus.out -w argus-cc.out
>
> ra -nr argus-cc.out -s +sco +dco returns nothing at all
>
> I can use ra -F rarc -s +sco +dco as long as my rarc contains line
> RA_DELEGATED_IP=delegated-ipv4-latest, but this is just to print the country
> code when reading the flow, i prefer to add the country code to the flow
> field sco/dco instead.
>
> Since ralabel has config file now, can we have something more standard like
> RALABEL_CC=delegated-ipv4-latest so we can point it to the code file that i
> downloaded using ragetcountrycodes.sh or I remember you mention the support
> for geoip support in the next version of argus.
>
> Currently the country code label doesn't seem to work, maybe someone can
> give it a spin too to check if it works correctly or my bad.
>
> Thanks!
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>



-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090421/56ae9ee6/attachment.html>

More information about the argus mailing list