RA --net Filter Limit Questions

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Wed Jul 13 08:17:39 EDT 2016


Hey Randy,
Not talking about ra.1,  we're talking about rafilteraddr.1.
   % which rafilteraddr

If your argus clients don't include the program rafilteraddr.1,  then you should get the latest version, which is argus-clinets-3.0.8.2.

   % man rafilteraddr

Carter

> On Jul 12, 2016, at 11:20 PM, Randy Grant <js02012011 at gmail.com> wrote:
> 
> Hi Carter,
> I'm the friend Clay sent this for. Thanks for the info. The -f option would solve all of my issues. Looking through the man pages, I only saw the -F option (for conffiles) but no -f option as you stated. Did I miss something? Do you happen to have a copy of the latest man pages with the -f option in it?
> Randy
> 
> 
>> On Tue, Jul 12, 2016, 4:27 PM Carter Bullard <carter at qosient.com> wrote:
>> Hey Clay,
>> The filter that the ra* clients use is pretty efficient, but its not intended for long filters … it is limited by some rather simple things imposed by our use of clib string operators (filter length) and of course, limitations with the complexity of the filter generate by lex / yacc, which can’t easily be worked around.
>> 
>> If you have a lot of addresses you want to filter against, use rafilteraddr.1.  It can handle millions of IP addresses, specified as single dot notated addresses, ranges, CIDR address, and of course, names.  Put the list of addresses in a file and run rafilteraddr with the -f option …  Something like:
>> 
>>    rafilteraddr -r binfile -w ${server}.${name} -f List.Of.Thousands.Of.Malicious.Addrs
>> 
>> Its pretty fast.   Check out the manpage ….
>> 
>> Carter
>> 
>> 
>>> On Jul 12, 2016, at 6:19 PM, Clayton Hamilton via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>>> 
>>> Hi all,
>>> 
>>> Asking for a friend (cc'd):
>>> 
>>> The below query works great as is. However, when the "iparray" array has more than ~250 IP addresses, it doesn't work. I can clearly see that it's running and attempts to pull files, but it fails. If the array has less than 250 IP addresses, it works fine and creates all the files based on the filter. This led me to believe there was a limit put on ra either in a .h file, .conf file, or hardcodes into ra itself. Searching through as many .h and .conf files as I could find, I couldn't find any indication of a filter limitation that I could've changed. 
>>> 
>>> Does anyone have answers for the questions below? Script provided below for reference:
>>> 
>>> 1. Does 'ra' have a limit on its filter, specifically with the 'net' option?
>>> 2. If it does have a limit, are we able to change the limit in a .conf or .h file?
>>> 3. If it has a limit hard coded into 'ra' itself, can we request the limit be lifted?
>>> 4. If there is no limit, I request this issue be entered as a bug, and to please fix with the next package update.
>>> 
>>> We have thousands of malicious IPs that I would love to input directly into a ra filter to read existing ra binaries. If we don't have to spend the time to split the array into 250 IP address chunks, it would save a great deal of time.
>>> 
>>> ---BEGIN---
>>> 
>>> date="20160710"
>>> iparray=(192.168.1.100 10.10.10.1)
>>> servers="AAA BBB"
>>> NETVAR=$(echo ${iparray[@]} | sed 's/ / or net /g')
>>> 
>>> for server in ${servers} ; do
>>>     find /argusbinarypath/${server}/binary/${date} -type f -name "argusbinaryfilename*" -print0 |\
>>>     nice -15 xargs -0 -P4 -I binfile sh -c ' 
>>>     base=$(basename binfile)
>>>     name=${base##*/}
>>>     server=$(echo binfile | cut -d '/' -f5)
>>>     ra -L -1 -r binfile -w ${server}.${name} -- net '"${NETVAR}"' ' -- binfile
>>> done
>>> 
>>> ---END---
>>> 
>>> Thank you,
>>> Clay.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160713/b83ea784/attachment.html>


More information about the argus mailing list