rafilteraddr issue

Carter Bullard carter at qosient.com
Fri Feb 5 14:03:10 EST 2010 

Hey Phillip,
Sorry I haven't responded!!!  So here is where I am on this:

Its not a bug, by default rafilteraddr() matches only exact matches,
and CIDR matches are, of course, not exact matches.

But this, of course, is not what we want.  I believe that I have a solution,
but I need to test it out a bit.

As a work around, I might suggest that you use ralabel() to do what you
want.  As an example, using the sample ralabel.conf and iana-address-file
from the ./support/Config directory in the client distribution, you can take your
address list, and have it insert the label "match" into the flow stream, and
then use ra() to find flows that have the label "match" in them:

   ralabel -f ralabel.conf -r /data/argusinput -w - | ra -M label=match

The ralabel.conf file contains:
   RALABEL_IANA_ADDRESS=yes
   RALABEL_IANA_ADDRESS_FILE="filtertest.txt"

and your filtertest.txt file contains:

   192.168.1.0/24   match

You can make this much more complicated, and so much more than just
filtering with these schemes.   Hopefully it will provide you with a workaround
until I get the fix in. I should have a solution for rafilteraddr() by the weekend?

What do you think?

Carter

On Feb 5, 2010, at 1:17 PM, Phillip Deneault wrote:

> Hey Carter
> 
> Thanks for looking at it... any luck yet?
> 
> Phil
> 
> On 2/3/2010 10:23 PM, carter at qosient.com wrote:
>> Hey Phillip,
>> rafilteraddr() should do the right thing.
>> I'll take a look tonight to see if its straightforward.
>> 
>> Carter 
>> 
>> ------Original Message------
>> From: Phillip G Deneault
>> Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
>> To: Argus
>> Subject: [ARGUS] rafilteraddr issue
>> Sent: Feb 3, 2010 10:09 PM
>> 
>> Hello all,
>> 
>> I'm attempting to use rafilteraddr and I must be using it wrong, but there 
>> isn't any authorative documentation on it.  I'm using argus-clients-3.0.2 
>> from http://qosient.com/argus/dev/ from the tarball dated 1/26/10.
>> 
>> Right now I'm just attemping to take a file and filter it to get a smaller 
>> subset of records.  My source file has only a handful of records and 
>> contains my targeted IP.
>> 
>> I'm running:
>> rafilteraddr -f filtertest.txt -r /data/argusinput -w /data/argusoutput
>> 
>> with a file containing my one target address.  If I try this command with 
>> the one line '192.168.1.1' or '192.168.1.1/32', I get the records I 
>> expect.
>> 
>> If I try '192.168.1.0/24', I get no records back at all that I should.
>> 
>> If I use -vf to invert my results, I get similar behavior.  Filters using 
>> the /24 are ignored, but entries with the /32 are processed correctly.
>> 
>> If I put more than one record in my filter list, mixing /24s and /32s, the 
>> /24 records are ignored and the /32s are processed correctly.
>> 
>> Could something be parsing the file wrong?  or am I doing something wrong?
>> 
>> Thanks,
>> Phil
>> 
>> 
>> 
>> 
>> Sent from my Verizon Wireless BlackBerry
> 
> 





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100205/f4d8c885/attachment.bin>

More information about the argus mailing list