traffic labeling and argus-clients-3.0.2

Carter Bullard carter at qosient.com
Mon Mar 16 19:50:02 EDT 2009 

Gentle people,
In argus-clients-3.0.2, there are a set of programs designed to  
"label" flows
with meta-data tags.  The set of criteria used as examples in the  
distribution
are address, port and filter based classifications.  I will add a few  
more as
we get more sophisticated with this new feature of argus data.

The address based labeling methods are designed to label flows so
that you can build hierarchical/scoped labeling, like "this flow is
specifically in this group", its 24-bit CIDR address labels it in that  
sub-net,
its IANA based address class adds this label, etc....
So that a flow can end up with labels like "Owner=Marge:ChemistryDept".
The file ./support/Config/ralabel.conf and ./support/Config/iana- 
address-file
are good examples of what you can do.

The port based labeling allows for inserting the services file strings  
for
specific ports, but the idea is that you can do anything you want using
the /etc/services file format.  It does support ranges, so its not  
completely
cumbersome.

The filter based system, allows you to specify basically any metric as
a criteria for a label, as an example, you can classify flows based on
src or dst instantaneous load as say, video or audio streams, or you
can label based on DiffServe code points, etc...., and of course
combinations of any metric.

All ra* progams can match on labels, using regular expressions.
Since the labels are of your design, you design the regular expression
to do the matching.

So lets say you want to label flows as they come into your archive
with indications that they are going to dark addresses.
You use radium() to label your flows with address based labels that
represent your dark address space.

In the new radium.conf configuration file is a new option,
RADIUM_CLASSIFIER_FILE, so you can specify a label configuration.
An example of this file can be found in ./support/Config/ralabel.conf.
You can have any number of specific addresses, or ranges, CIDR
formats whatever.  The labels can overlap, and when they do
radium() adds multiple labels, with ","'s as seperators.

Lets say you label your dark address space with the label "dark".
Data that is available from a port or written to a file from radium
will be labeled.

By the time the flow gets into your archive, or to the next ra* program,
you can find these flows easily using the "-M label='regex'" option.

    ra -S radium -M label='dark'

Will print out the records that involve non-existent addresses in
your network, if your label configuration is good.

Because all ra* programs now have dsr stripping features in them,
after you're done with a label you can have one of your ra* programs
do this:
    ra -M dsrs="-label" -S instream -w outstream

to have the label thrown away, if you like.

Hopefully you can imagine extremely complex ways of using this
simple but very powerful feature.

If you do try it out, send mail to the list if you have problems, or  
have
any kind of bad experience.

Hope all is most excellent,


Carter

More information about the argus mailing list