RA --net Filter Limit Questions

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Tue Jul 12 22:27:56 EDT 2016


Hey Clay,
The filter that the ra* clients use is pretty efficient, but its not intended for long filters … it is limited by some rather simple things imposed by our use of clib string operators (filter length) and of course, limitations with the complexity of the filter generate by lex / yacc, which can’t easily be worked around.

If you have a lot of addresses you want to filter against, use rafilteraddr.1.  It can handle millions of IP addresses, specified as single dot notated addresses, ranges, CIDR address, and of course, names.  Put the list of addresses in a file and run rafilteraddr with the -f option …  Something like:

   rafilteraddr -r binfile -w ${server}.${name} -f List.Of.Thousands.Of.Malicious.Addrs

Its pretty fast.   Check out the manpage ….

Carter

> On Jul 12, 2016, at 6:19 PM, Clayton Hamilton via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hi all,
> 
> Asking for a friend (cc'd):
> 
> The below query works great as is. However, when the "iparray" array has more than ~250 IP addresses, it doesn't work. I can clearly see that it's running and attempts to pull files, but it fails. If the array has less than 250 IP addresses, it works fine and creates all the files based on the filter. This led me to believe there was a limit put on ra either in a .h file, .conf file, or hardcodes into ra itself. Searching through as many .h and .conf files as I could find, I couldn't find any indication of a filter limitation that I could've changed. 
> 
> Does anyone have answers for the questions below? Script provided below for reference:
> 
> 1. Does 'ra' have a limit on its filter, specifically with the 'net' option?
> 2. If it does have a limit, are we able to change the limit in a .conf or .h file?
> 3. If it has a limit hard coded into 'ra' itself, can we request the limit be lifted?
> 4. If there is no limit, I request this issue be entered as a bug, and to please fix with the next package update.
> 
> We have thousands of malicious IPs that I would love to input directly into a ra filter to read existing ra binaries. If we don't have to spend the time to split the array into 250 IP address chunks, it would save a great deal of time.
> 
> ---BEGIN---
> 
> date="20160710"
> iparray=(192.168.1.100 10.10.10.1)
> servers="AAA BBB"
> NETVAR=$(echo ${iparray[@]} | sed 's/ / or net /g')
> 
> for server in ${servers} ; do
>     find /argusbinarypath/${server}/binary/${date} -type f -name "argusbinaryfilename*" -print0 |\
>     nice -15 xargs -0 -P4 -I binfile sh -c ' 
>     base=$(basename binfile)
>     name=${base##*/}
>     server=$(echo binfile | cut -d '/' -f5)
>     ra -L -1 -r binfile -w ${server}.${name} -- net '"${NETVAR}"' ' -- binfile
> done
> 
> ---END---
> 
> Thank you,
> Clay.
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160712/c03c19f8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6285 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160712/c03c19f8/attachment.bin>


More information about the argus mailing list