argus-clients-3.0.7.4 additions - locality
elof2 at sentor.se
elof2 at sentor.se
Wed Dec 5 15:10:20 EST 2012
On Wed, 5 Dec 2012, Carter Bullard wrote:
> # Many ra* clients process flow records where locality is an important
> # property. Sites use locality for a number of features, such as access control,
> # and this support is intended to support visualization, and analytics.
> #
> # Currently, you can identify a collection of IP addresses that represent RA_LOCAL,
> # and are specified using an iana-address-file formatted file. (See ralabel.conf)
> RA_LOCAL=/usr/local/argus/local.addrs
Wow! Sounds great!
> # When locality information is available, programs like ra(), and
> # ratop() can use that information to make display decisions, such
> # as the assignement of source when the data does not provide
> # enough information to definitively make that assignment.
> #
> # RA_LOCAL_DIRECTION provides the logic for using the locality
> # information to assign flow direction. You can force the local
> # address to be either the source (src) or the destination (dst).
> #
> # The syntax is:
> # RA_LOCAL_DIRECTION="local:src"
> # RA_LOCAL_DIRECTION="local:dst"
I'm not sure I understand this one.
Is it only for cases where the direction is ' ? ' that this variable is
used? So the real benefit is to list these flows in a less random
manner when this happens?
Then I have two questions:
1)
Why do this variable have the string 'local:' in it? Wouldn't it suffice
with RA_LOCAL_DIRECTION="src"?
2)
The variable name "RA_LOCAL_DIRECTION" does not make me understand what
it is all about. Perhaps "RA_DEFAULT_DIRECTION" or something would be a
better name? (...if I have correctly understood the meaning of the
feature, that is)
/Elof
More information about the argus
mailing list