Reading from named pipes with ra* clients?

Carter Bullard carter at qosient.com
Fri Jul 13 13:51:48 EDT 2012 

Hey Matt,
Two things.
   1) you can use radium() to run your ralabel.conf labels, and provide that data through the standard ports that radium supports.  that is the official way to daemonize a ralabel() right now.
   2) named pipes; we don't have any specific support in the file reading logic to understand that the file maybe a pipe, and to sit and wait for input rather than exit on EOF

I think we do need to provide support for named pipes.  Let me see what we need to do, and I'll get back to you later next week.
Until then, do try to use radium() to do your labels.  Turn the feature on using the documented RADIUM_CLASSIFIER_FILE
in your radium.conf file.  

Hope this is useful !!!!!

Carter 

On Jul 12, 2012, at 12:34 PM, Matt Brown wrote:

> Hello,
> 
>  
> I am attempting to use a named pipe/fifo to be an intermediary between ralabel and rasqlinsert.
> 
>  
>  
> I created the fifo with no extraneous stuff:
> 
>  
> # stat /usr/local/argus/argfifo
> 
>   File: `/usr/local/argus/argfifo'
> 
>   Size: 0           Blocks: 0          IO Block: 4096   fifo
> 
> Device: fd00h/64768d   Inode: 16058584    Links: 1
> 
> Access: (0644/prw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
> 
> Access: 2012-07-12 11:50:47.000000000 -0400
> 
> Modify: 2012-07-12 11:50:47.000000000 -0400
> 
> Change: 2012-07-12 11:50:47.000000000 -0400
> 
>  
>  
> I start ralabel with:
> 
> /usr/local/bin/ralabel -f /etc/ralabel.conf -S localhost:561 -s stime dur flgs proto saddr sport dir daddr dport spkts dpkts sbytes dbytes state sco dco -w /usr/local/argus/argfifo
>  
> 
> By using cat I see that ralabel is succesfully writing to the fifo.
> 
>  
> I'd like to be able to use any ra* client to read from the fifo, but have been unsuccesful with ra and rasqlinsert:
> 
> strace ra -r /usr/local/argus/argfifo -m none -s stime dur flgs proto saddr sport dir daddr dport spkts dpkts sbytes dbytes state sco dco &> ~/strace_ra.log
> 
> I have posted the strace output here: http://pastebin.com/ADvVdC3r
> 
>  
> The goal is to be able to daemonize the ralabel process (maybe using daemonize http://software.clapper.org/daemonize/#introduction).
> 
>  
> I'm now able to start have ralabel pipe it's binary stdout to rasqlinsert as a background job with:
> 
>  
> su -c 'ralabel ... 2> /var/log/ralabel.log | rasqlinsert ... 2> /var/log/rasqlinsert.log &' root
> 
>  
> I also do have PIDs being generated with the use of RA_SET_PID in /$HOME/.rarc
>  
> 
> Is there a method to:
> 
> 1) daemonize ralabel so that it can pipe to other raclients?
> 2) read from named pipes with ra* clients?
>  
> 
> Thanks,
> 
> Matt
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120713/9ffb3763/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120713/9ffb3763/attachment.bin>

More information about the argus mailing list