AS Number filtering

James Grace jgrac002 at fiu.edu
Fri Apr 18 11:00:53 EDT 2014 

Hey Carter,

It looks like I'm not compiling with the correct library. I'm just using
the database from the GeoIP Lite that I received from this link:

http://dev.maxmind.com/geoip/legacy/geolite/

I'm new to this GeoIP business so thanks a bunch for your patience.


Output:

# ./configure --with-GeoIP=/opt/GeoIP | fgrep -i geoip

checking for GeoIP library... not found


# fgrep ARGUS_GEOIP include/argus_config.h

/* #undef ARGUS_GEOIP */



On Fri, Apr 18, 2014 at 10:48 AM, Carter Bullard <carter at qosient.com> wrote:

> Hey James,
> The trick is your ralabel.conf file, and if you have any GeoIP
> support compiled into your clients.
>
> Is ARGUS_GEOIP defined in your clients ./include/argus_config.h file?
>
>     $ fgrep ARGUS_GEOIP ./include/argus_config.h
>     #define ARGUS_GEOIP /**/
>
> If you don't see the above, what does configure say about geoip ???
>
>     $ ./configure | fgrep -i geoip
>
> Carter
>
> On Apr 18, 2014, at 10:39 AM, James Grace <jgrac002 at fiu.edu> wrote:
>
> > Thanks for all the help! I've seem to have followed the steps in the
> thread posted by Jesse, but I'm not seeing any s/dAS output from the
> following:
> >
> > [root at coralreef opt]# ralabel -D 3 -f /etc/ralabel.conf -S localhost -s
> stime sas das | less
> >
> >
> >
> >
> >
> >       StartTime   sAS   dAS
> >
> >    10:38:37.405104
> >
> >    10:38:11.858056
> >
> >    10:38:11.858174
> >
> >    10:38:11.858175
> >
> >    10:38:11.858183
> >
> >    10:38:11.858284
> >
> >    10:38:11.859053
> >
> >    10:38:11.859056
> >
> >    10:38:11.859457
> >
> >    10:38:11.860291
> >
> >    10:38:11.860681
> >
> >    10:38:11.861003
> >
> >
> >    10:38:11.861008
> >
> >
> >
> > I'd like to point out that I'm using Emulex DAG cards with a custom
> compiled libpcap (for use of DAG cards) for Argus.
> >
> >
> >
> > Thanks a bunch,
> >
> > -james
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Thu, Apr 17, 2014 at 6:01 PM, Carter Bullard <carter at qosient.com>
> wrote:
> > Hey James,
> > Jessie is on it, and his reference should get you going.
> > Just a little so that you can know how this stuff works.
> >
> > Argus allows you to filter on objects in every layer in the stack,
> > through lots of different strategies and mechanisms.  To filter on
> > geolocation objects, such as country codes, AS numbers, zip codes,
> > you need to get into argus flow metadata.  Data that is included in
> > flow data that is not derived directly from packet contents is called
> > flow metadata.
> >
> > The argus tools have a lot of support for geospatial and netspatial
> > metadata.  But you need a source of the metadata to get it into
> > the flow.  We add metadata, such as AS numbers to argus flow data,
> > through flow labeling using a number of databases.  For AS number,
> > we use both the commercial and free GeoIP libraries and databases
> > from Maxmind.  You'll need to install GeoIP and the databases,
> > and ./configure and compile the support into your clients to get the
> > support.
> >
> > Our primary labelers are ralabel() and radium().  The support for
> labeling
> > is rather extensive, so you need to read the ralabel.1 man page, and
> > checkout the sample ./support/Config/ralabel.conf configuration file that
> > we provide in the distribution.
> >
> > I have radium() label all my records with country codes, AS numbers,
> > and lat and lon, so that programs later in the processing pipeline can
> > do interesting things.
> >
> > Once you get the labels going, AS numbers will be in the " sas " and "
> das "
> > variables in your flow records.  You can print, filter, aggregate, and
> sort on
> > these values, so getting them into your records can be useful.
> >
> > If you are importing netflow data that contains ASnums, the argus clients
> > will include the AS numbers into the flow records on conversion, so you
> > an get AS numbers into your flow data that way, as well.
> >
> > Carter
> >
> > On Apr 17, 2014, at 4:42 PM, James Grace <jgrac002 at fiu.edu> wrote:
> >
> >> Thanks for the link. I'll RTFM and see if I run into any troubles.
> >>
> >> James
> >>
> >> On Apr 17, 2014 4:36 PM, "Jesse Bowling" <jessebowling at gmail.com>
> wrote:
> >> Hi James,
> >>
> >> Check out this thread and it may help you along:
> >>
> >> http://comments.gmane.org/gmane.network.argus/10220
> >>
> >> Cheers,
> >>
> >> Jesse
> >>
> >>
> >> On Thu, Apr 17, 2014 at 4:04 PM, James Grace <jgrac002 at fiu.edu> wrote:
> >> Good afternoon, list,
> >>
> >> Is there anyway to get AS information from an Argus-client? I've done
> racluster type top-talkers using VID, IP address, and Protocol, but does
> Argus have the capability to scale up to Layer 4?
> >>
> >> Cheers,
> >>
> >> James
> >>
> >>
> >>
> >>
> >> --
> >> Jesse Bowling
> >>
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140418/aa548300/attachment.html>

More information about the argus mailing list