argus-clients-3.0.7.4 additions - locality
Carter Bullard
carter at qosient.com
Thu Dec 6 09:22:48 EST 2012
Excellent. the more dialog on these features, the better / best !!!
Comments inline .
Carter
On Dec 5, 2012, at 3:10 PM, elof2 at sentor.se wrote:
>
> On Wed, 5 Dec 2012, Carter Bullard wrote:
>> # Many ra* clients process flow records where locality is an important
>> # property. Sites use locality for a number of features, such as access control,
>> # and this support is intended to support visualization, and analytics.
>> #
>> # Currently, you can identify a collection of IP addresses that represent RA_LOCAL,
>> # and are specified using an iana-address-file formatted file. (See ralabel.conf)
>> RA_LOCAL=/usr/local/argus/local.addrs
>
> Wow! Sounds great!
Thanks !! Probably uploading today as a first pass for testing.
>
>> # When locality information is available, programs like ra(), and
>> # ratop() can use that information to make display decisions, such
>> # as the assignement of source when the data does not provide
>> # enough information to definitively make that assignment.
>> #
>> # RA_LOCAL_DIRECTION provides the logic for using the locality
>> # information to assign flow direction. You can force the local
>> # address to be either the source (src) or the destination (dst).
>> #
>> # The syntax is:
>> # RA_LOCAL_DIRECTION="local:src"
>> # RA_LOCAL_DIRECTION="local:dst"
>
> I'm not sure I understand this one.
> Is it only for cases where the direction is ' ? ' that this variable is used? So the real benefit is to list these flows in a less random manner when this happens?
Yes, right now, its designed to support ambigous flows, but if we decide to do more, we just need to figure out how to configure it.
>
> Then I have two questions:
> 1)
> Why do this variable have the string 'local:' in it? Wouldn't it suffice with RA_LOCAL_DIRECTION="src"?
This is to be the first option, I thought there maybe multiple of these.
So either 'local' or 'remote', so I picked local.
>
> 2)
> The variable name "RA_LOCAL_DIRECTION" does not make me understand what it is all about. Perhaps "RA_DEFAULT_DIRECTION" or something would be a better name? (...if I have correctly understood the meaning of the feature, that is)
Yes, it needs some tweaking. I'll change it to ra_flow_direction ?
>
> /Elof
>
More information about the argus
mailing list