AS Number filtering
Carter Bullard
carter at qosient.com
Fri Apr 18 10:48:05 EDT 2014
Hey James,
The trick is your ralabel.conf file, and if you have any GeoIP
support compiled into your clients.
Is ARGUS_GEOIP defined in your clients ./include/argus_config.h file?
$ fgrep ARGUS_GEOIP ./include/argus_config.h
#define ARGUS_GEOIP /**/
If you don’t see the above, what does configure say about geoip ???
$ ./configure | fgrep -i geoip
Carter
On Apr 18, 2014, at 10:39 AM, James Grace <jgrac002 at fiu.edu> wrote:
> Thanks for all the help! I've seem to have followed the steps in the thread posted by Jesse, but I'm not seeing any s/dAS output from the following:
>
> [root at coralreef opt]# ralabel -D 3 -f /etc/ralabel.conf -S localhost -s stime sas das | less
>
>
>
>
>
> StartTime sAS dAS
>
> 10:38:37.405104
>
> 10:38:11.858056
>
> 10:38:11.858174
>
> 10:38:11.858175
>
> 10:38:11.858183
>
> 10:38:11.858284
>
> 10:38:11.859053
>
> 10:38:11.859056
>
> 10:38:11.859457
>
> 10:38:11.860291
>
> 10:38:11.860681
>
> 10:38:11.861003
>
>
> 10:38:11.861008
>
>
>
> I'd like to point out that I'm using Emulex DAG cards with a custom compiled libpcap (for use of DAG cards) for Argus.
>
>
>
> Thanks a bunch,
>
> -james
>
>
>
>
>
>
>
>
>
>
>
>
> On Thu, Apr 17, 2014 at 6:01 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey James,
> Jessie is on it, and his reference should get you going.
> Just a little so that you can know how this stuff works.
>
> Argus allows you to filter on objects in every layer in the stack,
> through lots of different strategies and mechanisms. To filter on
> geolocation objects, such as country codes, AS numbers, zip codes,
> you need to get into argus flow metadata. Data that is included in
> flow data that is not derived directly from packet contents is called
> flow metadata.
>
> The argus tools have a lot of support for geospatial and netspatial
> metadata. But you need a source of the metadata to get it into
> the flow. We add metadata, such as AS numbers to argus flow data,
> through flow labeling using a number of databases. For AS number,
> we use both the commercial and free GeoIP libraries and databases
> from Maxmind. You’ll need to install GeoIP and the databases,
> and ./configure and compile the support into your clients to get the
> support.
>
> Our primary labelers are ralabel() and radium(). The support for labeling
> is rather extensive, so you need to read the ralabel.1 man page, and
> checkout the sample ./support/Config/ralabel.conf configuration file that
> we provide in the distribution.
>
> I have radium() label all my records with country codes, AS numbers,
> and lat and lon, so that programs later in the processing pipeline can
> do interesting things.
>
> Once you get the labels going, AS numbers will be in the “ sas “ and “ das “
> variables in your flow records. You can print, filter, aggregate, and sort on
> these values, so getting them into your records can be useful.
>
> If you are importing netflow data that contains ASnums, the argus clients
> will include the AS numbers into the flow records on conversion, so you
> an get AS numbers into your flow data that way, as well.
>
> Carter
>
> On Apr 17, 2014, at 4:42 PM, James Grace <jgrac002 at fiu.edu> wrote:
>
>> Thanks for the link. I'll RTFM and see if I run into any troubles.
>>
>> James
>>
>> On Apr 17, 2014 4:36 PM, "Jesse Bowling" <jessebowling at gmail.com> wrote:
>> Hi James,
>>
>> Check out this thread and it may help you along:
>>
>> http://comments.gmane.org/gmane.network.argus/10220
>>
>> Cheers,
>>
>> Jesse
>>
>>
>> On Thu, Apr 17, 2014 at 4:04 PM, James Grace <jgrac002 at fiu.edu> wrote:
>> Good afternoon, list,
>>
>> Is there anyway to get AS information from an Argus-client? I've done racluster type top-talkers using VID, IP address, and Protocol, but does Argus have the capability to scale up to Layer 4?
>>
>> Cheers,
>>
>> James
>>
>>
>>
>>
>> --
>> Jesse Bowling
>>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140418/b3a7cd08/attachment.bin>
More information about the argus
mailing list