Unusual country codes showing up
Craig Merchant
cmerchant at responsys.com
Tue Mar 5 21:24:16 EST 2013
We use some of the private address spaces internally. Using radium to label the flows, connecting any of the ra clients to radium and using "-s +dco,+sco" is showing strange country codes for internal address ranges. Codes like: pu, ap, in, la, tm.
I ran the script in the support directory to update all of the delegated-*-latest and copied the delegated-ipv4-latest file to /usr/local/argus.
The ralabel.conf file referenced by radium is:
RALABEL_IANA_ADDRESS=yes
RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/responsys-iana-file"
RALABEL_ARIN_COUNTRY_CODES=yes
RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
#RALABEL_BIND_NAME="all"
RALABEL_IANA_PORT=no
#RALABEL_IANA_PORT_FILE="/usr/local/argus/iana-port-numbers"
RALABEL_ARGUS_FLOW=no
RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/label-file"
#RALABEL_GEOIP_ASN=yes
#RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
# objects, in whatever order you like, as the RALABLE_GEOPIP_CITY string
# RALABEL_GEOIP_CITY="saddr,daddr:lat/lon"
# RALABEL_GEOIP_CITY="*:city,region,cname,lat,lon"
RALABEL_GEOIP_CITY="saddr,daddr,inode:cname"
RALABEL_GEOIP_CITY_FILE="/usr/local/argus/GeoIPCity.dat"
Although I haven't tested it exhaustively, it *seems* that the unusual pairs of letters in the unusual country codes show up together in the label field for each flow.
Thanks.
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130306/9eb38916/attachment.html>
More information about the argus
mailing list