AS Number filtering

Carter Bullard carter at qosient.com
Thu Apr 17 18:01:13 EDT 2014 

Hey James,
Jessie is on it, and his reference should get you going.
Just a little so that you can know how this stuff works.

Argus allows you to filter on objects in every layer in the stack,
through lots of different strategies and mechanisms.  To filter on
geolocation objects, such as country codes, AS numbers, zip codes,
you need to get into argus flow metadata.  Data that is included in
flow data that is not derived directly from packet contents is called
flow metadata.

The argus tools have a lot of support for geospatial and netspatial
metadata.  But you need a source of the metadata to get it into
the flow.  We add metadata, such as AS numbers to argus flow data,
through flow labeling using a number of databases.  For AS number,
we use both the commercial and free GeoIP libraries and databases
from Maxmind.  You’ll need to install GeoIP and the databases,
and ./configure and compile the support into your clients to get the
support.

Our primary labelers are ralabel() and radium().  The support for labeling
is rather extensive, so you need to read the ralabel.1 man page, and
checkout the sample ./support/Config/ralabel.conf configuration file that
we provide in the distribution.

I have radium() label all my records with country codes, AS numbers,
and lat and lon, so that programs later in the processing pipeline can
do interesting things.

Once you get the labels going, AS numbers will be in the “ sas “ and “ das “
variables in your flow records.  You can print, filter, aggregate, and sort on
these values, so getting them into your records can be useful.

If you are importing netflow data that contains ASnums, the argus clients
will include the AS numbers into the flow records on conversion, so you
an get AS numbers into your flow data that way, as well.

Carter

On Apr 17, 2014, at 4:42 PM, James Grace <jgrac002 at fiu.edu> wrote:

> Thanks for the link. I'll RTFM and see if I run into any troubles.
> 
> James
> 
> On Apr 17, 2014 4:36 PM, "Jesse Bowling" <jessebowling at gmail.com> wrote:
> Hi James,
> 
> Check out this thread and it may help you along:
> 
> http://comments.gmane.org/gmane.network.argus/10220
> 
> Cheers,
> 
> Jesse
> 
> 
> On Thu, Apr 17, 2014 at 4:04 PM, James Grace <jgrac002 at fiu.edu> wrote:
> Good afternoon, list,
> 
> Is there anyway to get AS information from an Argus-client? I've done racluster type top-talkers using VID, IP address, and Protocol, but does Argus have the capability to scale up to Layer 4?
> 
> Cheers, 
> 
> James
> 
> 
> 
> 
> -- 
> Jesse Bowling
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140417/449397d1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140417/449397d1/attachment.bin>

More information about the argus mailing list