How to add a compare field to Argus server??

[Carter Bullard]

Hey Duc Le,
If they are specific packet dynamics thresholds then you’ll
have to hack up argus to do it.  If you want me to do it,
describe what it is, and we’ll look to put it in argus-3.0.10.

If on the other hand its thresholds that we have filters for,
you could implement it using ralabel.1 using a ralabel.conf file.
This is of course using the newer argus-clients-3.0.8 code base:
   http://qosient.com/argus/dev/argus-clients-latest.tar.gz

Get the sample ralabel.conf file.  You will want to use the
RALABEL_ARGUS_FLOW filtering system, where you use fall through
argus filter strategies to specify a label for your argus data.

RALABEL_ARGUS_FLOW=yes
RALABEL_ARGUS_FLOW_FILE=/path/to/your/argus.flow.label.txt


—— /path/to/your/argus.flow.label.txt ——

filter=“rate gt 1000”  label=“rate greater than 1000 packets per second”
filter=“src co LI”     label=“from the good people in Liechtenstein"


These end up embedded in the flow records as “ label “, which is
where we store the argus metadata tags.
Print them out later using ra …

   ra -r file -s +label:32


Does that get close ???

Carter



On Aug 19, 2014, at 3:29 PM, ptit Lcd <leloiboi1 at gmail.com> wrote:

> Hi all,
> 
> I'm working with some network traffic capture files and i have to compare some features with defined threshold, for example bitperpacket vs 100, then export the result to argus binary file (with a model like ssh keystroke detection, which was already integrated to argus server). So where should i start??
> 
> Thanks,
> Duc Le

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140819/ac7179d9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140819/ac7179d9/attachment.sig>