adding arbitrary lables

Carter Bullard carter at qosient.com
Mon Jul 26 14:45:55 EDT 2010 

Hey George,
Grab a ralabel.conf file from ./support/Config, as a starting point.

If you want the whole flow to get the label, use the flow filter based classifier.
Uncomment these lines:

   RALABEL_ARGUS_FLOW=yes
   RALABEL_ARGUS_FLOW_FILE="/path/to/argus-flow-file"

The argus-flow-file is very simple.  Use this line to label all flows:

   filter=""              label="foo"

And all the flows will have a label that is:

   "flow=foo"

If you instead want the label to be associated with an address, assuming
they are all IP flows,  use the address based label scheme.

In the ralabel.conf file from ./support/Config, uncomment these lines:

   RALABEL_IANA_ADDRESS=yes
   RALABEL_IANA_ADDRESS_FILE="/path/to/iana-address-file"

In the ./support/Config directory there is a sample iana-address-file, grab
this and edit this file to have only this line:

   0.0.0.0/1-255.255.255.255/1		foo

This will generate a label in each IP flow record that is:
   "saddr=foo:daddr=foo"


There are other strategies, but this should help?

Carter

On Jul 26, 2010, at 10:37 AM, George Jones wrote:

> So, what would the ralabel.conf look like if I wanted *all* records on input to be labeled "foo" ?
> 
> Thanks,
> ---George Jones
> 
> ---------------------------------------cut here---------------------------------------
> From: Carter Bullard <carter <at> qosient.com>
> Subject: Re: adding arbitrary lables
> Newsgroups: gmane.network.argus
> Date: 2010-06-28 14:10:38 GMT (3 weeks, 6 days, 22 hours and 51 minutes ago)
> Hey George,
> Well, you could do this (leaving out a lot of specifics)
> 
>    ... | ralabel -f ralabel.conf -w - | rasqlinsert -M label="foo" -s +label
> 
> where ralabel.conf specifies how flows are labeled and "foo" is a regular
> expression that will match from the label buffer.   This will insert flows
> that match a particular label into a specified database table. 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100726/e12df92e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100726/e12df92e/attachment.bin>

More information about the argus mailing list