traffic labeling and argus-clients-3.0.2
Mark Bartlett
mabartle at gmail.com
Tue Mar 17 09:43:56 EDT 2009
Hey Carter.. Cool Feature. Def. can see myself using this for a
dynamic 'bad ip' list..
One question... Will this 'label' be a field that can be inserted
into the DB?? If so, what is the name of the field?
mark
On Mon, Mar 16, 2009 at 7:50 PM, Carter Bullard <carter at qosient.com> wrote:
> Gentle people,
> In argus-clients-3.0.2, there are a set of programs designed to "label"
> flows
> with meta-data tags. The set of criteria used as examples in the
> distribution
> are address, port and filter based classifications. I will add a few more
> as
> we get more sophisticated with this new feature of argus data.
>
> The address based labeling methods are designed to label flows so
> that you can build hierarchical/scoped labeling, like "this flow is
> specifically in this group", its 24-bit CIDR address labels it in that
> sub-net,
> its IANA based address class adds this label, etc....
> So that a flow can end up with labels like "Owner=Marge:ChemistryDept".
> The file ./support/Config/ralabel.conf and
> ./support/Config/iana-address-file
> are good examples of what you can do.
>
> The port based labeling allows for inserting the services file strings for
> specific ports, but the idea is that you can do anything you want using
> the /etc/services file format. It does support ranges, so its not
> completely
> cumbersome.
>
> The filter based system, allows you to specify basically any metric as
> a criteria for a label, as an example, you can classify flows based on
> src or dst instantaneous load as say, video or audio streams, or you
> can label based on DiffServe code points, etc...., and of course
> combinations of any metric.
>
> All ra* progams can match on labels, using regular expressions.
> Since the labels are of your design, you design the regular expression
> to do the matching.
>
> So lets say you want to label flows as they come into your archive
> with indications that they are going to dark addresses.
> You use radium() to label your flows with address based labels that
> represent your dark address space.
>
> In the new radium.conf configuration file is a new option,
> RADIUM_CLASSIFIER_FILE, so you can specify a label configuration.
> An example of this file can be found in ./support/Config/ralabel.conf.
> You can have any number of specific addresses, or ranges, CIDR
> formats whatever. The labels can overlap, and when they do
> radium() adds multiple labels, with ","'s as seperators.
>
> Lets say you label your dark address space with the label "dark".
> Data that is available from a port or written to a file from radium
> will be labeled.
>
> By the time the flow gets into your archive, or to the next ra* program,
> you can find these flows easily using the "-M label='regex'" option.
>
> ra -S radium -M label='dark'
>
> Will print out the records that involve non-existent addresses in
> your network, if your label configuration is good.
>
> Because all ra* programs now have dsr stripping features in them,
> after you're done with a label you can have one of your ra* programs
> do this:
> ra -M dsrs="-label" -S instream -w outstream
>
> to have the label thrown away, if you like.
>
> Hopefully you can imagine extremely complex ways of using this
> simple but very powerful feature.
>
> If you do try it out, send mail to the list if you have problems, or have
> any kind of bad experience.
>
> Hope all is most excellent,
>
>
> Carter
>
>
>
>
>
More information about the argus
mailing list