country and city code with ralabel and GeoIP (argus-client-3.0.6.2)

Carter Bullard carter at qosient.com
Mon Aug 13 12:14:22 EDT 2012 

Hey Harika,
You aren't inserting the country codes with your configuration, you are
specifying that the extended city information should include the country codes,
but that just inserts the cco into the metadata string, it doesn't populate the
sco or dco values.

Currently, to insert country codes so that sco and dco are populated, you need
to use RALABEL_ARIN_COUNTRY_CODES and set an ARIN style data file
for the encodings.  I'll look to change this, but currently, you should set both
label strategies.

Remember, the " * " at the end of the string indicates that you didn't provide enough
space to print the values, so the 64 should be larger, or use comma separated output,
which doesn't truncate the fields.


Carter 


On Aug 13, 2012, at 11:38 AM, Harika Tandra wrote:

> Hi Carter,
> 
> Thank you, its good to know about the label metadata string. I can grep the needed information from it.
> I am not getting sco and dco directly though. This is the output I get from the below command :
> 
> # /usr/local/bin/ralabel -f /etc/ralabel.conf -S localhost -w - | /usr/local/bin/ra -s sco dco sas das label:64
>          1781       scity=KR,KR,(null),37.000000,127.500000:dcity=US,US,(null),38.0*
>           137  6879 scity=IT,IT,Direzione,40.799999,9.016700:dcity=EG,EG,Cairo,30.0*
>          8075 20928 scity=US,US,(null),38.000000,-97.000000:dcity=EG,EG,Cairo,30.04*
>          8075 20928 scity=US,US,Redmond,47.670601,-122.068497:dcity=EG,EG,(null),27*
>          3512  7472 scity=US,US,Atlanta,33.795200,-84.324799:dcity=SG,SG,(null),1.3*
>           137  6879 scity=IT,IT,Direzione,40.799999,9.016700:dcity=EG,EG,(null),27.*
>          9488    91 scity=KR,KR,Seoul,37.566399,126.999702:dcity=US,US,Troy,42.7495*
>           137  2561 scity=IT,IT,Direzione,40.799999,9.016700:dcity=EG,EG,G?za,30.00*
>         22950  4538 scity=CA,CA,Saskatoon,52.133301,-106.666801:dcity=CN,CN,Beijing*
>           239  4538 scity=CA,CA,Toronto,43.666698,-79.416801:dcity=CN,CN,Guangzhou,*
>         36441  4538 scity=US,US,Athens,33.949902,-83.375000:dcity=CN,CN,Changchun,4*
> 
> When I query the GeoIPCity database separately, I do get the expected output. So everything on that end seems right. 
> 
> Thanks,
> Harika.
> 
> 
> On Aug 13, 2012, at 11:04 AM, Carter Bullard wrote:
> 
>> Hey Harika,
>> The generic city related information is added to the flow record's label as an ascii metadata string,
>> so there aren't specific city, zip or state fields to print, at least not today.  To filter on the field contents,
>> you use the " -e <regex> " option to specify the field contents you're looking for.
>> 
>> We do have support for country codes, which can come from various databases, and support
>> for  AS numbers, which comes from the GEOIP library, right now (if you have the right databases
>> in place.  As a result, you should get values when you printout the sco, dco, sas, and das
>> independent of the extended city data.
>> 
>> What output are you getting when you print out these fields and the labels?
>> 
>>    ra -s sco dco sas das label:64
>> 
>> Carter
>> 
>> 
>> 
>> On Aug 13, 2012, at 10:50 AM, Harika Tandra wrote:
>> 
>>> Hi Carter,
>>> 
>>> I am using argus-clients-3.0.6.2. I see that ralabel is not working with GeoIPCity database. 
>>> I am able to get AS information but not City related information. I am using the 
>>> following commands: 
>>> 
>>> /usr/local/bin/ralabel -f /etc/ralabel.conf -S localhost -s sas das sco dco scity dcity
>>> 
>>> and 
>>> 
>>> /usr/local/bin/ralabel -f /etc/ralabel.conf -S localhost -w - | /usr/local/bin/ra -s sco dco sas das
>>> 
>>> 
>>> And my ralabel.conf file is :
>>> 
>>> RALABEL_GEOIP_ASN=yes
>>> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
>>> RALABEL_GEOIP_CITY="saddr,daddr:cco,cco3,city,lat,lon"
>>> RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIPCity.dat"
>>> 
>>> 
>>> Please let me know if I you are observing the same or maybe something wrong at my end.
>>> 
>>> Thanks,
>>> Harika Tandra.
>>> 
>>> 
>>> 
>>> 
>>> ----------------------------------------------------------
>>> Harika Tandra
>>> Research Associate (Software Engineer)
>>> GLORIAD, ISSE
>>> 311 Conference Center Building
>>> University of Tennessee 
>>> htandra at gloriad.org
>>> htandra at utk.edu
>>> 
>>> 
>>> 
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120813/3de06da0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120813/3de06da0/attachment.bin>

More information about the argus mailing list