Problem labeling with ASN numbers

Carter Bullard carter at qosient.com
Tue Feb 25 14:17:14 EST 2014 

Hey Jessie,
This action should populate the sas and das attribute fields in the record,
so if you use:

   ralabel -D 3 -f /etc/ralabel.conf -r test.argus -s stime sas das -N 10

You should see your AS numbers.  We moved the result of the label into its
own DSR so we could filter, sort, aggregate,, as well as combine
data that had ASN values generated from Cisco netflow data.

Once we moved the data into a separate asn dsr, putting the values into
an ascii label seemed redundant.

If you think its important to generate a "sas=XXX” and “das=XXX” labels,
lets talk.  There are a number of these that have cropped up, and I’m
sure others will as well.  We have geolocation DSRs that can handle stuff
like lat and lon, as these are values you want to sort on, aggregate on,
etc… which is hard to do when the values are buried in an ASCII label,
but with GeoIP lats and lons, we still put them in the label.
Need some consistency I suspect….

What do you think ???!?!?!?!?!?

Carter



On Feb 25, 2014, at 2:04 PM, Jesse Bowling <jessebowling at gmail.com> wrote:

> Hello,
> 
> I'm having issues labeling flows with their ASN numbers. I would appreciate any pointers on how to work through this issue. Using the following setup:
> 
> # ralabel --version
> RaLabeler Version 3.0.7.19
> 
> # egrep -v '^#|^[ \t]*$' /etc/ralabel.conf 
> RALABEL_GEOIP_ASN=yes
> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
> RALABEL_GEOIP_V6_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNumv6.dat"
> 
> # ralabel -D 3 -f /etc/ralabel.conf -r test.argus -s stime label -N 10
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.951989 ArgusAddFileList (0x518ac010, test.argus, 1, -1, -1) returning 1
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.955412 RaLabelParseResourceFile (/etc/ralabel.conf) returning 0
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.955498 ArgusReadConnection() read 16 bytes
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.955517 ArgusReadConnection() read 112 bytes
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.955877 ArgusParseInit(0x7fb2518ac010 0x7fb25183b010
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.955896 ArgusReadConnection(0x5183b010, 1) returning 1
>                      StartTime                     Label 
>       02/25/14 12:01:07.897347
>       02/25/14 13:00:00.000000
>       02/25/14 13:00:01.231979
>       02/25/14 13:00:00.491826
>       02/25/14 13:00:00.000000
>       02/25/14 13:00:00.000000
>       02/25/14 13:00:00.018068
>       02/25/14 13:00:00.000000
>       02/25/14 13:00:00.000000
>       02/25/14 13:00:00.000000
>       02/25/14 13:00:00.000000
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956353 ArgusCloseInput(0x5183b010) closing
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956377 ArgusCloseInput(0x5183b010) done
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956385 main: ArgusReadFileStream (test.argus) done
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956408 main: reading files completed
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956415 ArgusShutDown (0)
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956421 RaParseComplete (0) returning
> ralabel[11976.0047da51b27f0000]: 02/25/14 14:03:54.956429 RaParseComplete(caught signal 0)
> 
> 
> -- 
> Jesse Bowling
> 




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140225/adddb42f/attachment.sig>

More information about the argus mailing list