adding arbitrary lables

George Jones eludom at gmail.com
Mon Jul 26 15:59:16 EDT 2010 

Thanks.   The argus-flow-file format was the bit I could not find.  That
should do it.

---George

On Mon, Jul 26, 2010 at 2:45 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey George,
> Grab a ralabel.conf file from ./support/Config, as a starting point.
>
> If you want the whole flow to get the label, use the flow filter based
> classifier.
> Uncomment these lines:
>
>    RALABEL_ARGUS_FLOW=yes
>    RALABEL_ARGUS_FLOW_FILE="/path/to/argus-flow-file"
>
> The argus-flow-file is very simple.  Use this line to label all flows:
>
>    filter=""              label="foo"
>
> And all the flows will have a label that is:
>
>    "flow=foo"
>
> If you instead want the label to be associated with an address, assuming
> they are all IP flows,  use the address based label scheme.
>
> In the ralabel.conf file from ./support/Config, uncomment these lines:
>
>    RALABEL_IANA_ADDRESS=yes
>    RALABEL_IANA_ADDRESS_FILE="/path/to/iana-address-file"
>
> In the ./support/Config directory there is a sample iana-address-file, grab
> this and edit this file to have only this line:
>
>    0.0.0.0/1-255.255.255.255/1 foo
>
> This will generate a label in each IP flow record that is:
>    "saddr=foo:daddr=foo"
>
>
> There are other strategies, but this should help?
>
> Carter
>
> On Jul 26, 2010, at 10:37 AM, George Jones wrote:
>
> So, what would the ralabel.conf look like if I wanted *all* records on
> input to be labeled "foo" ?
>
> Thanks,
> ---George Jones
>
> ---------------------------------------cut
> here---------------------------------------
>  From: Carter Bullard <carter <at> qosient.com>
> Subject: Re: adding arbitrary lables<http://news.gmane.org/find-root.php?message_id=%3c077EFEC2%2d8BF8%2d4A90%2dBA0C%2d9F7C1EA6A48E%40qosient.com%3e>
> Newsgroups: gmane.network.argus<http://news.gmane.org/gmane.network.argus>
> Date: 2010-06-28 14:10:38 GMT (3 weeks, 6 days, 22 hours and 51 minutes
> ago)
>
> Hey George,
> Well, you could do this (leaving out a lot of specifics)
>
>    ... | ralabel -f ralabel.conf -w - | rasqlinsert -M label="foo" -s +label
>
> where ralabel.conf specifies how flows are labeled and "foo" is a regular
> expression that will match from the label buffer.   This will insert flows
> that match a particular label into a specified database table.
>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York  10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100726/c85708ce/attachment.html>

More information about the argus mailing list