ralabel

Carter Bullard carter at qosient.com
Fri Jun 1 11:33:44 EDT 2012 

Hey CS Lee,
The argus-clients-3.0.6 ralabel.c works in the 3.0.6.1 distribution, so you
can copy it over and compile, and all will be fine.  The fix for the ralabel.c
that is in the 3.0.6.1 distribution is below:

MeinTing:ralabel carter$ diff ./examples/ralabel/ralabel.c ./examples/ralabel/ralabel.c.new
251c251
<       lstruct = (void *) argus->dsrs[ARGUS_LABEL_INDEX];
---
>       lstruct = (void *) ns->dsrs[ARGUS_LABEL_INDEX];
264c264
<                      if ((argusrec = ArgusGenerateRecord (argus, 0L, sbuf)) != NULL) {
---
>                      if ((argusrec = ArgusGenerateRecord (ns, 0L, sbuf)) != NULL) {
268c268
<                         ArgusWriteNewLogfile (parser, argus->input, wfile, argusrec);
---
>                         ArgusWriteNewLogfile (parser, ns->input, wfile, argusrec);
281c281
<                   parser->RaLabel = ArgusGenerateLabel(parser, argus);
---
>                   parser->RaLabel = ArgusGenerateLabel(parser, ns);
291c291
<             ArgusPrintRecord(parser, buf, argus, MAXSTRLEN);
---
>             ArgusPrintRecord(parser, buf, ns, MAXSTRLEN);


I had generated a copy of the original argus record, to fix a minor problem, but I didn't
make the correct changes to actually use the copy.  I'll incorporate this into the official
patch on Monday, when I get back to the office.

Carter



On Jun 1, 2012, at 10:32 AM, Carter Bullard wrote:

> Hey CS Lee,
> So, I just tested the 3.0.6.1 patch, and it does seem to break the AS labeling,
> so back up to argus-clients-3.0.6 until I can figure out what I did.
> 
> Carter
> 
> On Jun 1, 2012, at 2:02 AM, CS Lee wrote:
> 
>> hi Carter,
>> 
>> Has you updated ralabel, it doesn't seem to work on version 3.0.6.1, when I run 
>> 
>> /usr/local/stow/argusc-3.0.6.1/bin/ralabel -f /nsmon/etc/ralabel.conf -S 10.10.10.1:561 -w - | ra -n -s stime proto saddr sport dir daddr dport state sco dco sas das
>>    12:28:55.523218    udp      1.2.3.4.64507    <->       15.15.15.15.53       CON
>>    12:28:55.597702    udp      1.2.3.4.32771    <-       2.3.4.5.53       RSP
>>    12:28:55.647515    udp      1.2.3.4.60581    <->       15.15.15.15.53       CON
>> 
>> You can see nothing shows up, if I use 3.0.5.34, it seems to be working. My ralabel.conf has these few lines enabled
>> 
>> RALABEL_ARIN_COUNTRY_CODES=yes
>> RA_DELEGATED_IP="/nsmon/file/delegated-ipv4-latest"
>> RALABEL_GEOIP_ASN=yes
>> RALABEL_GEOIP_ASN_FILE="/nsmon/file/GeoIPASNum.dat"
>> 
>> Cheers!
>> 
>> -- 
>> Best Regards,
>> 
>> CS Lee<geek00L[at]gmail.com>
>> 
>> http://geek00l.blogspot.com
>> http://defcraft.net
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120601/3359cb71/attachment.html>

More information about the argus mailing list