Label files and performance

Craig Merchant cmerchant at responsys.com
Fri Jan 18 19:07:55 EST 2013 

I actually can't get labeling working at all...  Is there some kind of compiling

radium.conf:

RADIUM_CLASSIFIER=yes
RADIUM_CLASSIFIER_FILE=/usr/local/argus/ralabel.conf

.rarc:

RA_FIELD_SPECIFIER="stime flgs proto saddr sport dir daddr dport pkts bytes state label"

ralabel.conf:

RALABEL_IANA_ADDRESS=yes
RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/iana-address-file"
RALABEL_ARGUS_FLOW=yes
RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/label-file"

The iana-address-file is the standard with one additional inclusion:

0.0.0.0/8-192.167.255.255/32    Internet
192.168.0.0/16                  QoSient
192.168.0.0/24                  Wired
192.168.0.67                    SMTP
192.168.1.0/24                  Switzerland
192.168.2.0/24                  Wireless
207.237.36.98                   QoSient.com
192.168.3.0/24-223.0.0.0/8      Internet

include argus-flow-file


The argus-flow-file:

12.130.131.0/24 public,apache
12.130.158.0/24 public,apache
12.130.136.0/24 public,mta
12.130.137.0/24 public,mta

The "/usr/local/argus/label-file":

filter="net 10.0.0.0/8" label="internal"

If I run ra -s +sco +dco +label, I see the country codes, but not any of my labels.  Same if I run ralabel.  If I run ra -M label="internal", no records appear.

I even tried the following:

#cat test-ralabel.conf
RALABEL_ARGUS_FLOW=yes
RALABEL_ARGUS_FLOW_FILE="test-flow"

#cat test-flow
filter="net 10.0.0.0/8" label="internal"

Running ralabel -f test-ralabel.conf -s +label didn't produce anything either...

What am I doing wrong here?

Thanks.

C


From: argus-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu] On Behalf Of Craig Merchant
Sent: Friday, January 18, 2013 2:13 PM
To: Argus (argus-info at lists.andrew.cmu.edu)
Subject: [ARGUS] Label files and performance

If I use the default file in .rarc:

#RALABEL_ARGUS_FLOW=yes
#RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/argus-flow-file"

How big a file or how many lines can that argus-flow-file be before it starts impacting performance?  The one I want to start experimenting with is about 1500 lines.

If the answer is "depends", is it possible to monitor the performance of the labeling process somehow?

Thanks.

C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130119/6e154e22/attachment.html>

More information about the argus mailing list