Filter by Domain Name

Carter Bullard carter at qosient.com
Thu Nov 12 23:58:33 EST 2009 

Hey John,
You can put domain names in the command line filter.  It will grab all the addresses
that are returned by whatever resolver the machine is using, and build the correct
compound filters.

So if I want to filter against google.com, that usually returns 3 addresses, ra() with
generate this type of filter (use the -b option to dump the filter compiler output):

thoth:clients carter$ ra -b - host google.com 
(000) ldb      dsr[1][2]
(001) and      #31
(002) jeq      #0x1             jt 3	jf 12
(003) ld       dsr[1][4]
(004) jeq      #0x4a7d4364      jt 11	jf 5
(005) jeq      #0x4a7d3564      jt 11	jf 6
(006) jeq      #0x4a7d2d64      jt 11	jf 7
(007) ld       dsr[1][8]
(008) jeq      #0x4a7d4364      jt 11	jf 9
(009) jeq      #0x4a7d3564      jt 11	jf 10
(010) jeq      #0x4a7d2d64      jt 11	jf 12
(011) ret      #96
(012) ret      #0

So the compiler generates code to test the 3 returned addresses against the
source address (dsr[1][4]) and then the dst address (dsr[1][8]) in each argus record.

This is a pretty efficient filter.  Adding more domain names still stays pretty efficient.
akamai.com usually returns 2 - 3 addresses:

thoth:clients carter$ ra -b - host akamai.com or google.com
(000) ldb      dsr[1][2]
(001) and      #31
(002) jeq      #0x1             jt 3	jf 16
(003) ld       dsr[1][4]
(004) jeq      #0x48f6024a      jt 15	jf 5
(005) jeq      #0x48f6c68d      jt 15	jf 6
(006) jeq      #0x4a7d4364      jt 15	jf 7
(007) jeq      #0x4a7d3564      jt 15	jf 8
(008) jeq      #0x4a7d2d64      jt 15	jf 9
(009) ld       dsr[1][8]
(010) jeq      #0x48f6024a      jt 15	jf 11
(011) jeq      #0x48f6c68d      jt 15	jf 12
(012) jeq      #0x4a7d4364      jt 15	jf 13
(013) jeq      #0x4a7d3564      jt 15	jf 14
(014) jeq      #0x4a7d2d64      jt 15	jf 16
(015) ret      #96
(016) ret      #0

The ra* compiler is a 32-bit compiler, so if you get back a bunch of IPv6 addrs,
your filter gets big and ugly as it has to load and compare 4 32-bit values to do
a single IPv6 address comparison.

Eventually the  number of addresses will get large (> 20) and the filter will get slow.
This is a poor search strategy as its O(n * m) complexity, where m is the number of
addresses in the filters and n is the number of addresses to be searched.

One of the big problems is that for some domain names, you don't always get the
same addresses returned when we resolve them, so using them as filters isn't
always the best practice, but that doesn't mean that you can't do it, its just not
always the best approach.

rafilteraddr() is the program of choice when you have a lot of addresses you need to
filter against.   It uses a Patricia tree to hold the addresses of interest, and so the
search, is O(n log m).  A perfect hash can do better, and on some big memory
machines ( > 16 GBytes of RAM so you have 4GB of real user space per process), we
can get the complexity to O(n), which is best (at least for IPv4 addresses).

I had not considered supporting the use of domain names in rafilteraddr() but we
could easily do it.  Getting the program started may take some time to resolve all
the names, but once it gets going, it would go very quickly.

Email if this doesn't do it for you, and we'll see what will,

Carter


On Nov 12, 2009, at 5:18 PM, John Kennedy wrote:

> I was just curious if any argus client can be used to filter on a list of domain names?
> 
> thanks
> 
> John





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091112/cf663b5f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091112/cf663b5f/attachment.bin>

More information about the argus mailing list