4-byte ASN numbers being expressed as floating point numbers by ralabel
Carter Bullard
carter at qosient.com
Fri Jun 27 13:56:35 EDT 2014
Hey Kevin,
Need to check that your /etc/ralabel.conf file is actually adding country codes.
The keyword for AS numbers is “ as “. So we may print the asdot value, but we don’t
parse that format for AS numbers, and that is a bug that I’ll fix.
Right now, try something like:
ra - src as gt 65535
Or covert the asdot to decimal, which is what the filter will like right now.
2.18 = 131090
ra - src as 131090
Carter
On Jun 27, 2014, at 1:44 PM, The Branches <branchbunch at gmail.com> wrote:
> Hi Carter,
>
> I think I'm following you. So until an argus record has been run through ralabel, it does not actually populate the country or asn fields and thus those fields can not be filtered on. I do notice that even pre-ralabel, ra shows me the country codes, but I presume that the country codes are being resolved on the fly via the GeoIP library for display purposes only and thus can't be filtered on. ASNs number don't seem to resolve on the fly at all. In either case, it sounds like I need to output the ralabel results to a different argus data file which will actually have the asn and country codes populated in it's records. Then I should be able to use ra tools on this new file with country code and/or asn filters.
>
> However, when I actually try the above, it does not allow me to filter on "src co" or "src an". In one case I get no results, and in the other an error.
>
> root at nids:~# ra -r test.arg -s saddr sco sas
> SrcAddr sCo sAS
> 110.77.193.19 TH
>
> root at nids:~# ralabel -r test.arg -f /etc/ralabel.conf -w labeled.arg
>
> root at nids:~# ra -r labeled.arg -s saddr sco sas
> SrcAddr sCo sAS
> 110.77.193.19 TH 2.18
>
> root at ons-nids:~# ra -r labeled.arg -s saddr sco sas - "src co TH"
> (nothing)
>
> root at ons-nids:~# ra -r labeled.arg -s saddr sco sas - "src an 2.18"
> ra[4886]: 06/27/14.13:37:54 ERROR: compiler timed out
>
> Kevin
>
>
> On Fri, Jun 27, 2014 at 12:52 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Kevin,
> Need to move this to the list.
>
> You’ve run into one of the issues with processing metadata objects. The argus
> record doesn’t actually contain any country codes as you haven’t labeled the record.
> Labeling either with ralabel() or radium() inserts the country codes into the record,
> which you can now filter on.
>
> When we print the country codes, we do lookups at the instance that we’re
> printing the actual field. I maybe able to move that into the filter, but right now
> we don’t that type of fetching in the filter itself. The compiler creates a pattern
> to look for in the record structure itself.
>
> Printing a record doesn’t modify the record. Filtering a record shouldn’t modify
> the record either. I maybe able to do something, as I see how confusing it may
> be.
>
> Carter
>
> On Jun 27, 2014, at 12:39 PM, Kevin Branch <kevin at branchnetconsulting.com> wrote:
>
>> Hmmm, that makes sense now that I see it, but it does not appear to work with the test.arg I sent you:
>>
>> root at ons-nids:~# ra -r test.arg -s +sco
>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State sCo
>> 06/25/14.00:00:00 e tcp 110.77.193.19.62694 -> 184.95.147.129.https 35 26462 FIN TH
>> root at ons-nids:~# ra -r test.arg -s +sco - "src co TH"
>> root at ons-nids:~#
>>
>>
>>
>> On Fri, Jun 27, 2014 at 12:32 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Kevin,
>> These are just country codes, not GeoIP specific.
>> Use “src co XX” or “dst co XX”.
>> Carter
>>
>> On Jun 27, 2014, at 12:29 PM, Kevin Branch <kevin at branchnetconsulting.com> wrote:
>>
>>> Sure thing. Here it is.
>>>
>>> Carter, may I also ask for a hint on the proper ra filter syntax for ASNs and country codes? I've tried filter sections like
>>> - "sco eq TH"
>>> - "sco eq 'TH'"
>>> - "sco eq \"TH\""
>>> - "sco = TH"
>>> but I always get "filter syntax error" back.
>>>
>>> I couldn't find any reference to GeoIP fields in the ra man page nor any examples of filtering on such fields in the otherwise helpful geolocation page: http://qosient.com/argus/geolocation.shtml.
>>>
>>> Thanks,
>>> Kevin
>>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140627/7de55ff8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140627/7de55ff8/attachment.bin>
More information about the argus
mailing list