argus-clients-3.0.7.4 additions - locality
Carter Bullard
carter at qosient.com
Wed Dec 5 13:09:27 EST 2012
Gentle people,
With the addition of color support for ratop(), and the ability to color src and dst
metrics and identifiers with different colors, for whatever reason, where on
the screen identifiers are printed becomes an issue. The screen becomes a bit
more useful when all the blue addresses are on the left and the green ones
are on the right, for instance.
In support of this, I've added some logic that allows you to specify local vs remote,
and let locality influence the direction of flow records, when the direction is
ambiguous. While the design is for L2 and L3 identifiers to be used, currently,
we're doing L3 addresses.
Here is the wording in the new rarc file for this support:
# Many ra* clients process flow records where locality is an important
# property. Sites use locality for a number of features, such as access control,
# and this support is intended to support visualization, and analytics.
#
# Currently, you can identify a collection of IP addresses that represent RA_LOCAL,
# and are specified using an iana-address-file formatted file. (See ralabel.conf)
RA_LOCAL=/usr/local/argus/local.addrs
# When locality information is available, programs like ra(), and
# ratop() can use that information to make display decisions, such
# as the assignement of source when the data does not provide
# enough information to definitively make that assignment.
#
# RA_LOCAL_DIRECTION provides the logic for using the locality
# information to assign flow direction. You can force the local
# address to be either the source (src) or the destination (dst).
#
# The syntax is:
# RA_LOCAL_DIRECTION="local:src"
# RA_LOCAL_DIRECTION="local:dst"
#
RA_LOCAL_DIRECTION="local:src"
This particular configuration will put local addrs on the left of a ratop() display,
when the direction is ambiguous (when there is a ' ? ') in the direction field.
I'll be uploading the new ratop() that uses this logic with argus-clients-3.0.7.4,
later this week. If it works well for you, I'll extend support so that all ra* programs
will use the code.
Of course, if you have an opinion about this, and any other argus topic, don't
hesitate to send me email or the list !!!!
Hope all is most excellent,
Carter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121205/e5c279d1/attachment.bin>
More information about the argus
mailing list