MaxMind GeoIP support in 3.0.8.2

David Edelman dedelman at iname.com
Fri Sep 28 16:02:27 EDT 2018 

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 

The data file for GeoIP ASN reporting is different from the one used for geolocation, you might want to verify that they are both available and specified correctly.

  

- --Dave 

  

From: Argus-info <argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu> On Behalf Of Carter Bullard 
Sent: Friday, September 28, 2018 2:37 PM 
To: Kevin Branch <kevin at branchnetconsulting.com> 
Cc: Argus <argus-info at lists.andrew.cmu.edu> 
Subject: Re: [ARGUS] MaxMind GeoIP support in 3.0.8.2 

  

Hey Kevin, 

If you do a ./configure —help you’ll see all the options that ./configure supports.  If you specify —with-GeoIP it wants the directory where the GeoIP library is.

  —with-GeoIP=DIR. compile with GeoIP in <dir> 

  

You can check if the library is bound to the client binaries with ldd … 

   ldd `which ralabel` 

  

If you’re already bound, the city stuff should work ….  I’m not familiar with “reg,cco” as GeoIP City objects off the top of my head.  I’m familiar with “off,cont,lat,lon,region,city,cname”.  Maybe try lat,lon as a test, as I use that all the time ..

  

Carter 

 

  






        On Sep 28, 2018, at 1:59 PM, Kevin Branch <kevin at branchnetconsulting.com <mailto:kevin at branchnetconsulting.com> > wrote:

         

        Hi Carter, 

         

        I was just trying today to make ralabel on argus 3.0.8.2 do GeoIP labeling with GeoIPCity.dat, but even though the file referred to in ralabel.conf for that purpose exists, no GeoIP labeling takes place.    ASN lookups work great, but ralabel never adds any scity or dcity fields.

         

        My ralabel.conf: 

         

                RALABEL_ARIN_COUNTRY_CODES=no 

                 

                RALABEL_GEOIP_ASN=yes 

                RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat" 

                 

                RALABEL_GEOIP_CITY="reg,cco" 

                RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIPCity.dat" 

         

        No errors are thrown by ralabel.  I thought maybe I needed to specially compile in GeoIP support like I read about here:   https://qosient.com/argus/geolocation.shtml

        but when I run "./configure --with-GeoIP=yes" it throws this error: 

                configure: WARNING: unrecognized options: --with-GeoIP 

        However, I presume the fact that ASN lookups work means that MaxMind GeoIP support libraries are already installed, and presumably installed by default in the latest argus now.

         

        # ra -r /argus/today/unt-01.arg -w - | ralabel -f /etc/ralabel.conf -r - -s sas,das,scity,dcity,icity | head -n20

           sAS    dAS 

          4323 

          4323 

          4323 

         22927   4323 

          6582   4323 

          7018   4323 

          4323      3 

          4323 

          4323  15169 

          4323 

          4323 

          4323  15169 

          4323  21928 

          2828   4323 

         

        Any thoughts on what I am missing or how I might further debug this issue? 

         

        Thanks! 

        Kevin 

  
-----BEGIN PGP SIGNATURE----- 

iF0EARECAB0WIQQP+UHquEepll566aqXCCyZOY1FIQUCW66IvgAKCRCXCCyZOY1F 
IfmBAJ0Sr4+1sag0uXhEst98XK8tdzVlIgCgspjX7wOpB4YHe+Q37LyjYv8BVn4= 
=cPsJ 
-----END PGP SIGNATURE----- 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180928/6bae33dd/attachment.html>

More information about the argus mailing list