Reading from named pipes with ra* clients?

Matt Brown matthewbrown at gmail.com
Fri Jul 13 14:49:34 EDT 2012 

Thanks for your reply, Carter.

I'll take a look into using radium and look forward to the changes.

Thanks,

Matt
On Jul 13, 2012 1:51 PM, "Carter Bullard" <carter at qosient.com> wrote:

> Hey Matt,
> Two things.
>    1) you can use radium() to run your ralabel.conf labels, and provide
> that data through the standard ports that radium supports.  that is the
> official way to daemonize a ralabel() right now.
>    2) named pipes; we don't have any specific support in the file reading
> logic to understand that the file maybe a pipe, and to sit and wait for
> input rather than exit on EOF
>
> I think we do need to provide support for named pipes.  Let me see what we
> need to do, and I'll get back to you later next week.
> Until then, do try to use radium() to do your labels.  Turn the feature on
> using the documented RADIUM_CLASSIFIER_FILE
> in your radium.conf file.
>
> Hope this is useful !!!!!
>
> Carter
>
> On Jul 12, 2012, at 12:34 PM, Matt Brown wrote:
>
> Hello,
>
>
> I am attempting to use a named pipe/fifo to be an intermediary between
> ralabel and rasqlinsert.
>
>
>
> I created the fifo with no extraneous stuff:
>
>
> # stat /usr/local/argus/argfifo
>
>   File: `/usr/local/argus/argfifo'
>
>   Size: 0           Blocks: 0          IO Block: 4096   fifo
>
> Device: fd00h/64768d   Inode: 16058584    Links: 1
>
> Access: (0644/prw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
>
> Access: 2012-07-12 11:50:47.000000000 -0400
>
> Modify: 2012-07-12 11:50:47.000000000 -0400
>
> Change: 2012-07-12 11:50:47.000000000 -0400
>
>
>
> I start ralabel with:
>
> /usr/local/bin/ralabel -f /etc/ralabel.conf -S localhost:561 -s stime dur
> flgs proto saddr sport dir daddr dport spkts dpkts sbytes dbytes state sco
> dco -w /usr/local/argus/argfifo
>
>
> By using cat I see that ralabel is succesfully writing to the fifo.
>
>
> I'd like to be able to use any ra* client to read from the fifo, but have
> been unsuccesful with ra and rasqlinsert:
>
> strace ra -r /usr/local/argus/argfifo -m none -s stime dur flgs proto
> saddr sport dir daddr dport spkts dpkts sbytes dbytes state sco dco &>
> ~/strace_ra.log
>
> I have posted the strace output here: http://pastebin.com/ADvVdC3r
>
>
> The goal is to be able to daemonize the ralabel process (maybe using
> daemonize http://software.clapper.org/daemonize/#introduction).
>
>
> I'm now able to start have ralabel pipe it's binary stdout to rasqlinsert
> as a background job with:
>
>
> su -c 'ralabel ... 2> /var/log/ralabel.log | rasqlinsert ... 2>
> /var/log/rasqlinsert.log &' root
>
>
> I also do have PIDs being generated with the use of RA_SET_PID in
> /$HOME/.rarc
>
>
> Is there a method to:
>
> 1) daemonize ralabel so that it can pipe to other raclients?
> 2) read from named pipes with ra* clients?
>
>
> Thanks,
>
> Matt
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120713/27a450db/attachment.html>

More information about the argus mailing list