AS Number filtering

James Grace jgrac002 at fiu.edu
Fri Apr 18 16:19:15 EDT 2014 

Hey Carter,

Made a rookie sysadmin move and didn't export the LD path. Everything is
working peachy now. Thanks for everything!

-james



On Fri, Apr 18, 2014 at 3:28 PM, Carter Bullard <carter at qosient.com> wrote:

> So, when you compile the client programs, what does one of the compile
> command lines look like:
>
>    % cd examples/ralabel
>    % make clean
>    % make
>
> There should be a " -L/usr/local/lib -lGeoIP " section in there, or the
> path that ./configure
> thinks is suppose to work.  If so, do you have the correct file ???
>
>    % ls -la /usr/local/lib/*GeoIP*
>
> Then if all looks good, you probably don't have /usr/local/bin in your
> LD_LIBRARY_PATH.
>
>    % export LD_LIBRARY_PATH=/usr/local/lib:${LD_LIBRARY_PATH}
>
> You'll want to add this to your .bashrc  startup file.
>
> Carter
>
> On Apr 18, 2014, at 3:21 PM, James Grace <jgrac002 at fiu.edu> wrote:
>
> Hey Carter,
>
> Here's the output. Looks like it can't find the GeoIP library.
>
> [root at coralreef bin]# ldd /usr/local/bin/ralabel
>
> linux-vdso.so.1 =>  (0x00007fffa59b3000)
>
> libm.so.6 => /lib64/libm.so.6 (0x000000351ec00000)
>
> libpthread.so.0 => /lib64/libpthread.so.0 (0x000000351e800000)
>
> libGeoIP.so.1 => not found
>
> libz.so.1 => /lib64/libz.so.1 (0x000000351f400000)
>
> libc.so.6 => /lib64/libc.so.6 (0x000000351e000000)
>
> /lib64/ld-linux-x86-64.so.2 (0x000000351dc00000)
>
>
> -james
>
>
>
>
> On Fri, Apr 18, 2014 at 3:18 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> Hey James,
>> what does ldd report for your binary ralabel() ???
>>
>>    % ldd bin/ralabel
>>
>> If you're running on a Mac OS X machine, it will be
>>    % otool -L bin/ralabel
>>
>> Here's what mine looks like:
>>
>> MeinTing:argus-clients-3.0.7.24 carter$ ldd bin/ralabel
>> bin/ralabel:
>>         /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
>> version 1197.1.1)
>>         /usr/local/lib/libGeoIP.1.dylib (compatibility version 6.0.0,
>> current version 6.6.0)
>>         /usr/lib/libz.1.dylib (compatibility version 1.0.0, current
>> version 1.2.5)
>>
>>
>> Carter
>>
>> On Apr 18, 2014, at 11:28 AM, James Grace <jgrac002 at fiu.edu> wrote:
>>
>> > Thanks a bunch, Carter,
>> >
>> > It seems I've run into yet another problem.
>> >
>> > I compiled and installed libGeoIP, and confirmed it's location in
>> /usr/local/lib/
>> >
>> > I did a ./configure --with-GeoIP=yes
>> >
>> > ./configure --with-GeoIP=yes | fgrep -i geoip
>> >
>> > checking for GeoIP_open in -lGeoIP... yes
>> >
>> > and checked the argus_config header:
>> > # fgrep ARGUS_GEOIP include/argus_config.h
>> >
>> > #define ARGUS_GEOIP /**/
>> >
>> > But i'm getting the following error:
>> >
>> > # ralabel -D 3 -f /etc/ralabel.conf -r argus.out -s stime sas das -N 10
>> >
>> >
>> > ralabel: error while loading shared libraries: libGeoIP.so.1: cannot
>> open shared object file: No such file or directory
>> >
>> >
>> >
>> > Thanks for the help so far!
>> >
>> >
>> >
>> > -james
>> >
>> >
>> >
>> >
>> >
>> > On Fri, Apr 18, 2014 at 11:05 AM, Carter Bullard <carter at qosient.com>
>> wrote:
>> > Well, you need to compile in the support, if you want to get it.
>> > Checkout this link:
>> >
>> > http://www.qosient.com/argus/geolocation.shtml
>> >
>> > and do what it sez. Not much to it.  The support for
>> > GeoIP is automatic now, so you don't have to add anything
>> > special to ./configure.  You do need to install the libraries though.
>> >
>> > Holler if you have any problems.
>> >
>> > Carter
>> >
>> > On Apr 18, 2014, at 11:00 AM, James Grace <jgrac002 at fiu.edu> wrote:
>> >
>> >> Hey Carter,
>> >>
>> >> It looks like I'm not compiling with the correct library. I'm just
>> using the database from the GeoIP Lite that I received from this link:
>> >>
>> >> http://dev.maxmind.com/geoip/legacy/geolite/
>> >>
>> >> I'm new to this GeoIP business so thanks a bunch for your patience.
>> >>
>> >>
>> >> Output:
>> >> # ./configure --with-GeoIP=/opt/GeoIP | fgrep -i geoip
>> >>
>> >> checking for GeoIP library... not found
>> >>
>> >>
>> >>
>> >> # fgrep ARGUS_GEOIP include/argus_config.h
>> >>
>> >>
>> >> /* #undef ARGUS_GEOIP */
>> >>
>> >>
>> >>
>> >>
>> >> On Fri, Apr 18, 2014 at 10:48 AM, Carter Bullard <carter at qosient.com>
>> wrote:
>> >> Hey James,
>> >> The trick is your ralabel.conf file, and if you have any GeoIP
>> >> support compiled into your clients.
>> >>
>> >> Is ARGUS_GEOIP defined in your clients ./include/argus_config.h file?
>> >>
>> >>     $ fgrep ARGUS_GEOIP ./include/argus_config.h
>> >>     #define ARGUS_GEOIP /**/
>> >>
>> >> If you don't see the above, what does configure say about geoip ???
>> >>
>> >>     $ ./configure | fgrep -i geoip
>> >>
>> >> Carter
>> >>
>> >> On Apr 18, 2014, at 10:39 AM, James Grace <jgrac002 at fiu.edu> wrote:
>> >>
>> >> > Thanks for all the help! I've seem to have followed the steps in the
>> thread posted by Jesse, but I'm not seeing any s/dAS output from the
>> following:
>> >> >
>> >> > [root at coralreef opt]# ralabel -D 3 -f /etc/ralabel.conf -S
>> localhost -s stime sas das | less
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >       StartTime   sAS   dAS
>> >> >
>> >> >    10:38:37.405104
>> >> >
>> >> >    10:38:11.858056
>> >> >
>> >> >    10:38:11.858174
>> >> >
>> >> >    10:38:11.858175
>> >> >
>> >> >    10:38:11.858183
>> >> >
>> >> >    10:38:11.858284
>> >> >
>> >> >    10:38:11.859053
>> >> >
>> >> >    10:38:11.859056
>> >> >
>> >> >    10:38:11.859457
>> >> >
>> >> >    10:38:11.860291
>> >> >
>> >> >    10:38:11.860681
>> >> >
>> >> >    10:38:11.861003
>> >> >
>> >> >
>> >> >    10:38:11.861008
>> >> >
>> >> >
>> >> >
>> >> > I'd like to point out that I'm using Emulex DAG cards with a custom
>> compiled libpcap (for use of DAG cards) for Argus.
>> >> >
>> >> >
>> >> >
>> >> > Thanks a bunch,
>> >> >
>> >> > -james
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > On Thu, Apr 17, 2014 at 6:01 PM, Carter Bullard <carter at qosient.com>
>> wrote:
>> >> > Hey James,
>> >> > Jessie is on it, and his reference should get you going.
>> >> > Just a little so that you can know how this stuff works.
>> >> >
>> >> > Argus allows you to filter on objects in every layer in the stack,
>> >> > through lots of different strategies and mechanisms.  To filter on
>> >> > geolocation objects, such as country codes, AS numbers, zip codes,
>> >> > you need to get into argus flow metadata.  Data that is included in
>> >> > flow data that is not derived directly from packet contents is called
>> >> > flow metadata.
>> >> >
>> >> > The argus tools have a lot of support for geospatial and netspatial
>> >> > metadata.  But you need a source of the metadata to get it into
>> >> > the flow.  We add metadata, such as AS numbers to argus flow data,
>> >> > through flow labeling using a number of databases.  For AS number,
>> >> > we use both the commercial and free GeoIP libraries and databases
>> >> > from Maxmind.  You'll need to install GeoIP and the databases,
>> >> > and ./configure and compile the support into your clients to get the
>> >> > support.
>> >> >
>> >> > Our primary labelers are ralabel() and radium().  The support for
>> labeling
>> >> > is rather extensive, so you need to read the ralabel.1 man page, and
>> >> > checkout the sample ./support/Config/ralabel.conf configuration file
>> that
>> >> > we provide in the distribution.
>> >> >
>> >> > I have radium() label all my records with country codes, AS numbers,
>> >> > and lat and lon, so that programs later in the processing pipeline
>> can
>> >> > do interesting things.
>> >> >
>> >> > Once you get the labels going, AS numbers will be in the " sas " and
>> " das "
>> >> > variables in your flow records.  You can print, filter, aggregate,
>> and sort on
>> >> > these values, so getting them into your records can be useful.
>> >> >
>> >> > If you are importing netflow data that contains ASnums, the argus
>> clients
>> >> > will include the AS numbers into the flow records on conversion, so
>> you
>> >> > an get AS numbers into your flow data that way, as well.
>> >> >
>> >> > Carter
>> >> >
>> >> > On Apr 17, 2014, at 4:42 PM, James Grace <jgrac002 at fiu.edu> wrote:
>> >> >
>> >> >> Thanks for the link. I'll RTFM and see if I run into any troubles.
>> >> >>
>> >> >> James
>> >> >>
>> >> >> On Apr 17, 2014 4:36 PM, "Jesse Bowling" <jessebowling at gmail.com>
>> wrote:
>> >> >> Hi James,
>> >> >>
>> >> >> Check out this thread and it may help you along:
>> >> >>
>> >> >> http://comments.gmane.org/gmane.network.argus/10220
>> >> >>
>> >> >> Cheers,
>> >> >>
>> >> >> Jesse
>> >> >>
>> >> >>
>> >> >> On Thu, Apr 17, 2014 at 4:04 PM, James Grace <jgrac002 at fiu.edu>
>> wrote:
>> >> >> Good afternoon, list,
>> >> >>
>> >> >> Is there anyway to get AS information from an Argus-client? I've
>> done racluster type top-talkers using VID, IP address, and Protocol, but
>> does Argus have the capability to scale up to Layer 4?
>> >> >>
>> >> >> Cheers,
>> >> >>
>> >> >> James
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Jesse Bowling
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140418/40f3b79f/attachment.html>

More information about the argus mailing list