Unusual country codes showing up

Craig Merchant cmerchant at responsys.com
Wed Mar 6 12:42:09 EST 2013 

We’re using 3.0.7.5.

I’ll send you some data directly…

Thx.

Craig

From: Carter Bullard [mailto:carter at qosient.com]
Sent: Wednesday, March 06, 2013 5:10 AM
To: Craig Merchant
Cc: Argus (argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Unusual country codes showing up

What version of the clients ??  Use 3.0.7.5 if you can, we fixed a country code problem a while ago ?  If you are using a 3.0.7.x send a set of data that generates the error.

Carter
On Mar 5, 2013, at 9:24 PM, Craig Merchant <cmerchant at responsys.com<mailto:cmerchant at responsys.com>> wrote:
We use some of the private address spaces internally.  Using radium to label the flows, connecting any of the ra clients to radium and using “-s +dco,+sco” is showing strange country codes for internal address ranges.  Codes like:  pu, ap, in, la, tm.

I ran the script in the support directory to update all of the delegated-*-latest and copied the delegated-ipv4-latest file to /usr/local/argus.

The ralabel.conf file referenced by radium is:

RALABEL_IANA_ADDRESS=yes
RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/responsys-iana-file"
RALABEL_ARIN_COUNTRY_CODES=yes
RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
#RALABEL_BIND_NAME="all"
RALABEL_IANA_PORT=no
#RALABEL_IANA_PORT_FILE="/usr/local/argus/iana-port-numbers"
RALABEL_ARGUS_FLOW=no
RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/label-file"
#RALABEL_GEOIP_ASN=yes
#RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
#    objects, in whatever order you like, as the RALABLE_GEOPIP_CITY string
#       RALABEL_GEOIP_CITY="saddr,daddr:lat/lon"
#       RALABEL_GEOIP_CITY="*:city,region,cname,lat,lon"
RALABEL_GEOIP_CITY="saddr,daddr,inode:cname"
RALABEL_GEOIP_CITY_FILE="/usr/local/argus/GeoIPCity.dat"

Although I haven’t tested it exhaustively, it *seems* that the unusual pairs of letters in the unusual country codes show up together in the label field for each flow.

Thanks.

Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130306/ec5ca914/attachment.html>

More information about the argus mailing list