AS Number filtering

Carter Bullard carter at qosient.com
Fri Apr 18 15:18:16 EDT 2014 

Hey James,
what does ldd report for your binary ralabel() ???

   % ldd bin/ralabel

If you’re running on a Mac OS X machine, it will be
   % otool -L bin/ralabel

Here’s what mine looks like:

MeinTing:argus-clients-3.0.7.24 carter$ ldd bin/ralabel
bin/ralabel:
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
	/usr/local/lib/libGeoIP.1.dylib (compatibility version 6.0.0, current version 6.6.0)
	/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)


Carter

On Apr 18, 2014, at 11:28 AM, James Grace <jgrac002 at fiu.edu> wrote:

> Thanks a bunch, Carter,
> 
> It seems I've run into yet another problem. 
> 
> I compiled and installed libGeoIP, and confirmed it's location in /usr/local/lib/
> 
> I did a ./configure --with-GeoIP=yes
> 
> ./configure --with-GeoIP=yes | fgrep -i geoip
> 
> checking for GeoIP_open in -lGeoIP... yes
> 
> and checked the argus_config header:
> # fgrep ARGUS_GEOIP include/argus_config.h
> 
> #define ARGUS_GEOIP /**/
> 
> But i'm getting the following error:
> 
> # ralabel -D 3 -f /etc/ralabel.conf -r argus.out -s stime sas das -N 10
> 
> 
> ralabel: error while loading shared libraries: libGeoIP.so.1: cannot open shared object file: No such file or directory
> 
> 
> 
> Thanks for the help so far! 
> 
> 
> 
> -james
> 
> 
> 
> 
> 
> On Fri, Apr 18, 2014 at 11:05 AM, Carter Bullard <carter at qosient.com> wrote:
> Well, you need to compile in the support, if you want to get it.
> Checkout this link:
> 
> http://www.qosient.com/argus/geolocation.shtml
> 
> and do what it sez. Not much to it.  The support for
> GeoIP is automatic now, so you don’t have to add anything
> special to ./configure.  You do need to install the libraries though.
> 
> Holler if you have any problems.
> 
> Carter
> 
> On Apr 18, 2014, at 11:00 AM, James Grace <jgrac002 at fiu.edu> wrote:
> 
>> Hey Carter,
>> 
>> It looks like I'm not compiling with the correct library. I'm just using the database from the GeoIP Lite that I received from this link:
>> 
>> http://dev.maxmind.com/geoip/legacy/geolite/
>> 
>> I'm new to this GeoIP business so thanks a bunch for your patience. 
>> 
>> 
>> Output: 
>> # ./configure --with-GeoIP=/opt/GeoIP | fgrep -i geoip
>> 
>> checking for GeoIP library... not found
>> 
>> 
>> 
>> # fgrep ARGUS_GEOIP include/argus_config.h
>> 
>> 
>> /* #undef ARGUS_GEOIP */
>> 
>>  
>> 
>> 
>> On Fri, Apr 18, 2014 at 10:48 AM, Carter Bullard <carter at qosient.com> wrote:
>> Hey James,
>> The trick is your ralabel.conf file, and if you have any GeoIP
>> support compiled into your clients.
>> 
>> Is ARGUS_GEOIP defined in your clients ./include/argus_config.h file?
>> 
>>     $ fgrep ARGUS_GEOIP ./include/argus_config.h
>>     #define ARGUS_GEOIP /**/
>> 
>> If you don’t see the above, what does configure say about geoip ???
>> 
>>     $ ./configure | fgrep -i geoip
>> 
>> Carter
>> 
>> On Apr 18, 2014, at 10:39 AM, James Grace <jgrac002 at fiu.edu> wrote:
>> 
>> > Thanks for all the help! I've seem to have followed the steps in the thread posted by Jesse, but I'm not seeing any s/dAS output from the following:
>> >
>> > [root at coralreef opt]# ralabel -D 3 -f /etc/ralabel.conf -S localhost -s stime sas das | less
>> >
>> >
>> >
>> >
>> >
>> >       StartTime   sAS   dAS
>> >
>> >    10:38:37.405104
>> >
>> >    10:38:11.858056
>> >
>> >    10:38:11.858174
>> >
>> >    10:38:11.858175
>> >
>> >    10:38:11.858183
>> >
>> >    10:38:11.858284
>> >
>> >    10:38:11.859053
>> >
>> >    10:38:11.859056
>> >
>> >    10:38:11.859457
>> >
>> >    10:38:11.860291
>> >
>> >    10:38:11.860681
>> >
>> >    10:38:11.861003
>> >
>> >
>> >    10:38:11.861008
>> >
>> >
>> >
>> > I'd like to point out that I'm using Emulex DAG cards with a custom compiled libpcap (for use of DAG cards) for Argus.
>> >
>> >
>> >
>> > Thanks a bunch,
>> >
>> > -james
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Thu, Apr 17, 2014 at 6:01 PM, Carter Bullard <carter at qosient.com> wrote:
>> > Hey James,
>> > Jessie is on it, and his reference should get you going.
>> > Just a little so that you can know how this stuff works.
>> >
>> > Argus allows you to filter on objects in every layer in the stack,
>> > through lots of different strategies and mechanisms.  To filter on
>> > geolocation objects, such as country codes, AS numbers, zip codes,
>> > you need to get into argus flow metadata.  Data that is included in
>> > flow data that is not derived directly from packet contents is called
>> > flow metadata.
>> >
>> > The argus tools have a lot of support for geospatial and netspatial
>> > metadata.  But you need a source of the metadata to get it into
>> > the flow.  We add metadata, such as AS numbers to argus flow data,
>> > through flow labeling using a number of databases.  For AS number,
>> > we use both the commercial and free GeoIP libraries and databases
>> > from Maxmind.  You’ll need to install GeoIP and the databases,
>> > and ./configure and compile the support into your clients to get the
>> > support.
>> >
>> > Our primary labelers are ralabel() and radium().  The support for labeling
>> > is rather extensive, so you need to read the ralabel.1 man page, and
>> > checkout the sample ./support/Config/ralabel.conf configuration file that
>> > we provide in the distribution.
>> >
>> > I have radium() label all my records with country codes, AS numbers,
>> > and lat and lon, so that programs later in the processing pipeline can
>> > do interesting things.
>> >
>> > Once you get the labels going, AS numbers will be in the “ sas “ and “ das “
>> > variables in your flow records.  You can print, filter, aggregate, and sort on
>> > these values, so getting them into your records can be useful.
>> >
>> > If you are importing netflow data that contains ASnums, the argus clients
>> > will include the AS numbers into the flow records on conversion, so you
>> > an get AS numbers into your flow data that way, as well.
>> >
>> > Carter
>> >
>> > On Apr 17, 2014, at 4:42 PM, James Grace <jgrac002 at fiu.edu> wrote:
>> >
>> >> Thanks for the link. I'll RTFM and see if I run into any troubles.
>> >>
>> >> James
>> >>
>> >> On Apr 17, 2014 4:36 PM, "Jesse Bowling" <jessebowling at gmail.com> wrote:
>> >> Hi James,
>> >>
>> >> Check out this thread and it may help you along:
>> >>
>> >> http://comments.gmane.org/gmane.network.argus/10220
>> >>
>> >> Cheers,
>> >>
>> >> Jesse
>> >>
>> >>
>> >> On Thu, Apr 17, 2014 at 4:04 PM, James Grace <jgrac002 at fiu.edu> wrote:
>> >> Good afternoon, list,
>> >>
>> >> Is there anyway to get AS information from an Argus-client? I've done racluster type top-talkers using VID, IP address, and Protocol, but does Argus have the capability to scale up to Layer 4?
>> >>
>> >> Cheers,
>> >>
>> >> James
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Jesse Bowling
>> >>
>> >
>> >
>> 
>> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140418/5762e300/attachment.bin>

More information about the argus mailing list