regarding ipv6
Carter Bullard
carter at qosient.com
Mon Jun 9 12:33:45 EDT 2014
There is a sample configuration for ralabel, its
./support/Config/ralabel.conf. This works for me.
RALABEL_GEOIP_ASN=yes
RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
RALABEL_GEOIP_V6_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNumv6.dat"
Are you using argus-clients-3.0.7.31 ???
Carter
On Jun 9, 2014, at 11:57 AM, James Grace <jgrac002 at fiu.edu> wrote:
> Hey Carter,
>
> Now the error is on the v6 line (line3):
> RALABEL_GEOIP_V6_ASN_FILE="/opt/GeoIP/GeoIPASNumv6.dat"
>
> Does this correct? I'm now seeing the syntax error for this line.
>
> Thanks much,
>
> -james
>
>
>
>
>
>
> On Mon, Jun 9, 2014 at 11:53 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey James,
> The 2nd line should read:
>
> RALABEL_GEOIP_ASN_FILE="/opt/GeoIP/GeoIPASNum.dat"
>
>
> Carter
>
> On Jun 9, 2014, at 11:00 AM, James Grace <jgrac002 at fiu.edu> wrote:
>
> > Thanks everyone for being so helpful,
> >
> > I've configured my ralabel.conf like this:
> >
> > RALABEL_GEOIP_ASN=yes
> >
> > RALABEL_GEOIP_V4_ASN_FILE="/opt/GeoIP/GeoIPASNum.dat"
> >
> > RALABEL_GEOIP_V6_ASN_FILE="/opt/GeoIP/GeoIPASNumv6.dat"
> >
> >
> >
> > And when I run ralabel against this configuration I'm getting
> >
> >
> >
> > [root at coralreef 06]# ralabel -D 3 -f /etc/ralabel.conf -R 08/ -w -
> >
> >
> > ralabel[23468]: 10:59:23.218215 /etc/ralabel.conf: syntax error line 2
> >
> >
> >
> > Am I just fat fingering the config here? I swear it looks right to me ;-D
> >
> >
> >
> > Thanks,
> >
> > -james
> >
> >
> >
> >
> >
> > On Sun, May 25, 2014 at 9:41 PM, David Edelman <dedelman at iname.com> wrote:
> > And the sample ra statement that I provided needs to have two more items added to the –s parameter sas and das which seem to end up in the DSRs rather than in the label (which is very nice.)
> >
> >
> >
> > ra –r <anArgusDataFileThatHasLabels> -s stime proto saddr:40 sport dir daddr:40 dport sas das label:150
> >
> >
> >
> > --Dave
> >
> >
> >
> > From: Carter Bullard [mailto:carter at qosient.com]
> > Sent: Sunday, May 25, 2014 6:44 PM
> > To: David Edelman
> > Cc: James Grace; Argus
> >
> >
> > Subject: Re: [ARGUS] regarding ipv6
> >
> >
> >
> > But there are always opportunities for bugs.
> >
> >
> >
> > Not much IPv6 going on out there, so if you do run into problems,
> >
> > I may need to fix something for 3.0.8, so holler if you think its
> >
> > suppose to work but doesn’t.
> >
> >
> >
> > Carter
> >
> >
> >
> > On May 25, 2014, at 3:36 PM, David Edelman <dedelman at iname.com> wrote:
> >
> >
> >
> >
> > James,
> >
> >
> >
> > I think that there may be a misunderstanding here. Regardless of how you represent an IPv6 address when it is printed, it is always 128 bits in length. If you are looking to use something like GeoIP to take that address and determine the associates ASN or telephone area code for that matter, the printed representation is irrelevant.
> >
> >
> >
> > You do need to have the correct files from MaxMind I believe that http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNumv6.dat.gz is the one that you are looking for. You need something in the ralabel.conf file that tells it where to get the information:
> >
> >
> >
> > RALABEL_GEOIP_ASN=yes
> >
> > RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat” (This one can also be written as RA_LABEL_GEOIP_V4_ASN_FILE=“/VAR …)
> >
> > RALABEL_GEOIP_V6_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNumv6.dat”
> >
> >
> >
> >
> >
> > If you are doing this already, and you don’t see valid ASN numbers in your flow records, then it has nothing to do with the way that the IPv6 addresses are being printed by the argus client. One thing to keep in mind is that the default length for the label field is pretty short. You might want to try something like this to verify what is happening
> >
> >
> >
> > ra –r <anArgusDataFileThatHasLabels> -s stime proto saddr:40 sport dir daddr:40 dport label:150
> >
> >
> >
> >
> >
> > —Dave
> >
> >
> >
> >
> >
> > From: James Grace <jgrac002 at fiu.edu>
> > Date: Friday, May 23, 2014 at 7:42 PM
> > To: David Edelman <dedelman at iname.com>
> > Cc: Carter Bullard <carter at qosient.com>, Argus <argus-info at lists.andrew.cmu.edu>
> > Subject: Re: [ARGUS] regarding ipv6
> >
> >
> >
> > David nailed it. Is this still a fixed width issue?
> >
> >
> >
> > -james
> >
> >
> >
> >
> >
> > On Fri, May 23, 2014 at 3:23 PM, David Edelman <dedelman at iname.com> wrote:
> >
> >
> > Carter,
> >
> >
> >
> > I think that James is asking about printing the IPv6 addresses in canonical form rather than in compressed form i.e.: don’t suppress any leading zeros and don’t use :: notation.
> >
> >
> >
> > --Dave
> >
> >
> >
> > From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Carter Bullard
> > Sent: Friday, May 23, 2014 11:10 AM
> > To: James Grace
> > Cc: Argus
> > Subject: Re: [ARGUS] regarding ipv6
> >
> >
> >
> > Hey James,
> >
> > Not sure what you mean by truncated addresses.
> >
> >
> >
> > If you are printing ascii and feeding the record to something else, the default for the ra* programs is to use a FIXED_WIDTH algorithm. byiu can configure your saddr and daddr fields with larger fixed width buffers in your .rarc or on the command line.
> >
> >
> >
> > ra -s saddr:32 daddr:32 .....
> >
> >
> >
> > Print with a diffent field separator than ' ' to get non-fixed fields, or configure your .rarc file to print with cariable length fields. The fixed widthe is for commandline and terminal oriented apps to make it look orderly.
> >
> >
> >
> > ra -c ,
> >
> >
> >
> > ralabel and radium can label IPv6 addresses with ASN's using the GeoIP databases. That should work pretty well, checkout the ralabel.1 man page.
> >
> >
> >
> > Carter
> >
> >
> > On May 23, 2014, at 10:16 AM, James Grace <jgrac002 at fiu.edu> wrote:
> >
> > Thanks a bunch, Carter, does Argus store, or have the capability to, the full 128bit record of an IPv6 address? I'd like to be able to use ralabel to assign ASNs to v6 records, but it's having difficulty with the truncated addresses.
> >
> >
> >
> > Thanks much for all the help!
> >
> > -james
> >
> >
> >
> >
> >
> > On Wed, May 21, 2014 at 6:06 PM, Carter Bullard <carter at qosient.com> wrote:
> >
> > Oh, and if you supply an ipv6 address in a filter,
> > you’ll find that we realize we’re working with ipv6
> > and do the right thing.
> >
> > So first this first example passes an ipv6 address.
> > We’ll grab the flow DSR (dsr[1]) and grab the second
> > byte in the header and try to find out if its ipv6
> > (0x02). Then we build a big ole 128 bit ipv6 address
> > to match.
> >
> > thoth:~ carter$ ra -b - src host 1::16
> > (000) ldb dsr[1][2]
> > (001) and #31
> > (002) jeq #0x2 jt 3 jf 11
> > (003) ld dsr[1][16]
> > (004) jeq #0x16000000 jt 5 jf 15
> > (005) ld dsr[1][12]
> > (006) jeq #0x0 jt 7 jf 15
> > (007) ld dsr[1][8]
> > (008) jeq #0x0 jt 9 jf 15
> > (009) ld dsr[1][4]
> > (010) jeq #0x100 jt 14 jf 15
> > (011) jeq #0x4 jt 12 jf 15
> > (012) ld dsr[1][12]
> > (013) jeq #0x100 jt 14 jf 15
> > (014) ret #150
> > (015) ret #0
> >
> >
> > Here 0x01 is the bit indicator for ipv4, and, we load
> > up the address. In this case we’re looking for the
> > address in arp and in standard ip flows.
> >
> > thoth:~ carter$ ra -b - src host 1.2.3.4
> > (000) ldb dsr[1][2]
> > (001) and #31
> > (002) jeq #0x1 jt 3 jf 5
> > (003) ld dsr[1][4]
> > (004) jeq #0x1020304 jt 8 jf 9
> > (005) jeq #0x4 jt 6 jf 9
> > (006) ld dsr[1][12]
> > (007) jeq #0x1020304 jt 8 jf 9
> > (008) ret #150
> > (009) ret #0
> >
> >
> >
> >
> >
> > On May 21, 2014, at 5:58 PM, Carter Bullard <carter at qosient.com> wrote:
> >
> > > Hey James,
> > > We don’t make a big distinction between ipv4 and ipv6.
> > > you can always filter on ipv6 by using the filter “ ipv6 “.
> > >
> > > ra -S localhost - ipv6
> > >
> > > Aggregation works well, longest prefix match works and CIDR
> > > works, but they are literal operators, so if you do saddr/64
> > > on an IPv6 address, it should do the right thing, not sure
> > > it would be what you wanted …
> > >
> > > There is a distinction between ‘icmp’ and ‘icmp-v6’ as filters,
> > > so a filter like " icmp and ipv6 “ would return nada, as there
> > > won’t be any matches.
> > >
> > > Carter
> > >
> > > On May 21, 2014, at 3:25 PM, James Grace <jgrac002 at fiu.edu> wrote:
> > >
> > >> Hi,
> > >>
> > >> I have argus purring along smoothly and was wondering if there were filters built in or methods others are using to report on ipv6 traffic solely. I don't see anything in the man pages and the gmane search function is busted so I'm unable to look around on the list archives.
> > >>
> > >> Cheers,
> > >> -james
> > >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140609/86774ee2/attachment.sig>
More information about the argus
mailing list