AS Number filtering
James Grace
jgrac002 at fiu.edu
Fri Apr 18 15:21:12 EDT 2014
Hey Carter,
Here's the output. Looks like it can't find the GeoIP library.
[root at coralreef bin]# ldd /usr/local/bin/ralabel
linux-vdso.so.1 => (0x00007fffa59b3000)
libm.so.6 => /lib64/libm.so.6 (0x000000351ec00000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x000000351e800000)
libGeoIP.so.1 => not found
libz.so.1 => /lib64/libz.so.1 (0x000000351f400000)
libc.so.6 => /lib64/libc.so.6 (0x000000351e000000)
/lib64/ld-linux-x86-64.so.2 (0x000000351dc00000)
-james
On Fri, Apr 18, 2014 at 3:18 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey James,
> what does ldd report for your binary ralabel() ???
>
> % ldd bin/ralabel
>
> If you're running on a Mac OS X machine, it will be
> % otool -L bin/ralabel
>
> Here's what mine looks like:
>
> MeinTing:argus-clients-3.0.7.24 carter$ ldd bin/ralabel
> bin/ralabel:
> /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
> version 1197.1.1)
> /usr/local/lib/libGeoIP.1.dylib (compatibility version 6.0.0,
> current version 6.6.0)
> /usr/lib/libz.1.dylib (compatibility version 1.0.0, current
> version 1.2.5)
>
>
> Carter
>
> On Apr 18, 2014, at 11:28 AM, James Grace <jgrac002 at fiu.edu> wrote:
>
> > Thanks a bunch, Carter,
> >
> > It seems I've run into yet another problem.
> >
> > I compiled and installed libGeoIP, and confirmed it's location in
> /usr/local/lib/
> >
> > I did a ./configure --with-GeoIP=yes
> >
> > ./configure --with-GeoIP=yes | fgrep -i geoip
> >
> > checking for GeoIP_open in -lGeoIP... yes
> >
> > and checked the argus_config header:
> > # fgrep ARGUS_GEOIP include/argus_config.h
> >
> > #define ARGUS_GEOIP /**/
> >
> > But i'm getting the following error:
> >
> > # ralabel -D 3 -f /etc/ralabel.conf -r argus.out -s stime sas das -N 10
> >
> >
> > ralabel: error while loading shared libraries: libGeoIP.so.1: cannot
> open shared object file: No such file or directory
> >
> >
> >
> > Thanks for the help so far!
> >
> >
> >
> > -james
> >
> >
> >
> >
> >
> > On Fri, Apr 18, 2014 at 11:05 AM, Carter Bullard <carter at qosient.com>
> wrote:
> > Well, you need to compile in the support, if you want to get it.
> > Checkout this link:
> >
> > http://www.qosient.com/argus/geolocation.shtml
> >
> > and do what it sez. Not much to it. The support for
> > GeoIP is automatic now, so you don't have to add anything
> > special to ./configure. You do need to install the libraries though.
> >
> > Holler if you have any problems.
> >
> > Carter
> >
> > On Apr 18, 2014, at 11:00 AM, James Grace <jgrac002 at fiu.edu> wrote:
> >
> >> Hey Carter,
> >>
> >> It looks like I'm not compiling with the correct library. I'm just
> using the database from the GeoIP Lite that I received from this link:
> >>
> >> http://dev.maxmind.com/geoip/legacy/geolite/
> >>
> >> I'm new to this GeoIP business so thanks a bunch for your patience.
> >>
> >>
> >> Output:
> >> # ./configure --with-GeoIP=/opt/GeoIP | fgrep -i geoip
> >>
> >> checking for GeoIP library... not found
> >>
> >>
> >>
> >> # fgrep ARGUS_GEOIP include/argus_config.h
> >>
> >>
> >> /* #undef ARGUS_GEOIP */
> >>
> >>
> >>
> >>
> >> On Fri, Apr 18, 2014 at 10:48 AM, Carter Bullard <carter at qosient.com>
> wrote:
> >> Hey James,
> >> The trick is your ralabel.conf file, and if you have any GeoIP
> >> support compiled into your clients.
> >>
> >> Is ARGUS_GEOIP defined in your clients ./include/argus_config.h file?
> >>
> >> $ fgrep ARGUS_GEOIP ./include/argus_config.h
> >> #define ARGUS_GEOIP /**/
> >>
> >> If you don't see the above, what does configure say about geoip ???
> >>
> >> $ ./configure | fgrep -i geoip
> >>
> >> Carter
> >>
> >> On Apr 18, 2014, at 10:39 AM, James Grace <jgrac002 at fiu.edu> wrote:
> >>
> >> > Thanks for all the help! I've seem to have followed the steps in the
> thread posted by Jesse, but I'm not seeing any s/dAS output from the
> following:
> >> >
> >> > [root at coralreef opt]# ralabel -D 3 -f /etc/ralabel.conf -S localhost
> -s stime sas das | less
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > StartTime sAS dAS
> >> >
> >> > 10:38:37.405104
> >> >
> >> > 10:38:11.858056
> >> >
> >> > 10:38:11.858174
> >> >
> >> > 10:38:11.858175
> >> >
> >> > 10:38:11.858183
> >> >
> >> > 10:38:11.858284
> >> >
> >> > 10:38:11.859053
> >> >
> >> > 10:38:11.859056
> >> >
> >> > 10:38:11.859457
> >> >
> >> > 10:38:11.860291
> >> >
> >> > 10:38:11.860681
> >> >
> >> > 10:38:11.861003
> >> >
> >> >
> >> > 10:38:11.861008
> >> >
> >> >
> >> >
> >> > I'd like to point out that I'm using Emulex DAG cards with a custom
> compiled libpcap (for use of DAG cards) for Argus.
> >> >
> >> >
> >> >
> >> > Thanks a bunch,
> >> >
> >> > -james
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > On Thu, Apr 17, 2014 at 6:01 PM, Carter Bullard <carter at qosient.com>
> wrote:
> >> > Hey James,
> >> > Jessie is on it, and his reference should get you going.
> >> > Just a little so that you can know how this stuff works.
> >> >
> >> > Argus allows you to filter on objects in every layer in the stack,
> >> > through lots of different strategies and mechanisms. To filter on
> >> > geolocation objects, such as country codes, AS numbers, zip codes,
> >> > you need to get into argus flow metadata. Data that is included in
> >> > flow data that is not derived directly from packet contents is called
> >> > flow metadata.
> >> >
> >> > The argus tools have a lot of support for geospatial and netspatial
> >> > metadata. But you need a source of the metadata to get it into
> >> > the flow. We add metadata, such as AS numbers to argus flow data,
> >> > through flow labeling using a number of databases. For AS number,
> >> > we use both the commercial and free GeoIP libraries and databases
> >> > from Maxmind. You'll need to install GeoIP and the databases,
> >> > and ./configure and compile the support into your clients to get the
> >> > support.
> >> >
> >> > Our primary labelers are ralabel() and radium(). The support for
> labeling
> >> > is rather extensive, so you need to read the ralabel.1 man page, and
> >> > checkout the sample ./support/Config/ralabel.conf configuration file
> that
> >> > we provide in the distribution.
> >> >
> >> > I have radium() label all my records with country codes, AS numbers,
> >> > and lat and lon, so that programs later in the processing pipeline can
> >> > do interesting things.
> >> >
> >> > Once you get the labels going, AS numbers will be in the " sas " and
> " das "
> >> > variables in your flow records. You can print, filter, aggregate,
> and sort on
> >> > these values, so getting them into your records can be useful.
> >> >
> >> > If you are importing netflow data that contains ASnums, the argus
> clients
> >> > will include the AS numbers into the flow records on conversion, so
> you
> >> > an get AS numbers into your flow data that way, as well.
> >> >
> >> > Carter
> >> >
> >> > On Apr 17, 2014, at 4:42 PM, James Grace <jgrac002 at fiu.edu> wrote:
> >> >
> >> >> Thanks for the link. I'll RTFM and see if I run into any troubles.
> >> >>
> >> >> James
> >> >>
> >> >> On Apr 17, 2014 4:36 PM, "Jesse Bowling" <jessebowling at gmail.com>
> wrote:
> >> >> Hi James,
> >> >>
> >> >> Check out this thread and it may help you along:
> >> >>
> >> >> http://comments.gmane.org/gmane.network.argus/10220
> >> >>
> >> >> Cheers,
> >> >>
> >> >> Jesse
> >> >>
> >> >>
> >> >> On Thu, Apr 17, 2014 at 4:04 PM, James Grace <jgrac002 at fiu.edu>
> wrote:
> >> >> Good afternoon, list,
> >> >>
> >> >> Is there anyway to get AS information from an Argus-client? I've
> done racluster type top-talkers using VID, IP address, and Protocol, but
> does Argus have the capability to scale up to Layer 4?
> >> >>
> >> >> Cheers,
> >> >>
> >> >> James
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Jesse Bowling
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140418/e17f2462/attachment.html>
More information about the argus
mailing list