MaxMind GeoIP support in 3.0.8.2

Carter Bullard carter at qosient.com
Sat Sep 29 11:18:38 EDT 2018


Hey Kevin,
Any success ???
Carter

	 	
Carter Bullard • CTO
150 E 57th Street Suite 12D
New York, New York 10022-2795
Phone +1.212.588.9133 • Mobile +1.917.497.9494

> On Sep 28, 2018, at 9:40 PM, David Edelman <dedelman at iname.com> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE----- 
> Hash: SHA1
> 
> Please try this:
> 
> # ra -r /argus/today/unt-01.arg -w - | ralabel -f /etc/ralabel.conf -r - -s label:200  -N20
> 
>  
> 
> From: Argus-info <argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu> On Behalf Of Kevin Branch 
> Sent: Friday, September 28, 2018 5:25 PM 
> To: Carter Bullard <carter at qosient.com> 
> Cc: Argus <argus-info at lists.andrew.cmu.edu> 
> Subject: Re: [ARGUS] MaxMind GeoIP support in 3.0.8.2
> 
>  
> 
> Looks like GeoIP is linked in already:
> 
>  
> 
> # ldd `which ralabel` 
>         linux-vdso.so.1 =>  (0x00007ffddaf8a000) 
>         libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f5fe67c9000) 
>         libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f5fe65ab000) 
>         libGeoIP.so.1 => /usr/lib/x86_64-linux-gnu/libGeoIP.so.1 (0x00007f5fe637c000) 
>         libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5fe5fb3000) 
>         /lib64/ld-linux-x86-64.so.2 (0x00007f5fe6acf000)
> 
>  
> 
> I switched to just "lat,lon" like you suggested in ralabel.conf:
> 
>  
> 
> # cat /etc/ralabel.conf
> 
>         RALABEL_ARIN_COUNTRY_CODES=no
> 
>         
> 
>         RALABEL_GEOIP_ASN=yes
> 
>         RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
> 
>         
> 
>         RALABEL_GEOIP_CITY="lat,lon"
> 
>         RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIPCity.dat"
> 
>  
> 
> But I don't see anything but ASNs getting added in:
> 
>  
> 
> # ra -r /argus/today/unt-01.arg -w - | ralabel -f /etc/ralabel.conf -r - -s sas,das,scity,dcity,icity | head -n20
> 
>    sAS    dAS
> 
>   4323
> 
>   4323
> 
>   4323
> 
>  22927   4323
> 
>   6582   4323
> 
>   7018   4323
> 
>   4323      3
> 
>   4323
> 
>   4323  15169
> 
>   4323
> 
>   4323
> 
>   4323  15169
> 
>   4323  21928
> 
>   2828   4323
> 
>  
> 
> Thoughts?
> 
> Kevin
> 
>  
> 
> On Fri, Sep 28, 2018 at 2:36 PM Carter Bullard <carter at qosient.com <mailto:carter at qosient.com> > wrote:
> 
>         Hey Kevin,
> 
>         If you do a ./configure —help you’ll see all the options that ./configure supports.  If you specify —with-GeoIP it wants the directory where the GeoIP library is.
> 
>           —with-GeoIP=DIR. compile with GeoIP in <dir>
> 
>         
> 
>         You can check if the library is bound to the client binaries with ldd …
> 
>            ldd `which ralabel`
> 
>         
> 
>         If you’re already bound, the city stuff should work ….  I’m not familiar with “reg,cco” as GeoIP City objects off the top of my head.  I’m familiar with “off,cont,lat,lon,region,city,cname”.  Maybe try lat,lon as a test, as I use that all the time ..
> 
>         
> 
>         Carter
> 
>         
>          
> 
>         
>         
>        
> 
>                 On Sep 28, 2018, at 1:59 PM, Kevin Branch <kevin at branchnetconsulting.com <mailto:kevin at branchnetconsulting.com> > wrote:
> 
>                 
> 
>                 Hi Carter,
> 
>                 
> 
>                 I was just trying today to make ralabel on argus 3.0.8.2 do GeoIP labeling with GeoIPCity.dat, but even though the file referred to in ralabel.conf for that purpose exists, no GeoIP labeling takes place.    ASN lookups work great, but ralabel never adds any scity or dcity fields.
> 
>                 
> 
>                 My ralabel.conf:
> 
>                 
> 
>                         RALABEL_ARIN_COUNTRY_CODES=no
> 
>                         
> 
>                         RALABEL_GEOIP_ASN=yes
> 
>                         RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
> 
>                         
> 
>                         RALABEL_GEOIP_CITY="reg,cco"
> 
>                         RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIPCity.dat"
> 
>                 
> 
>                 No errors are thrown by ralabel.  I thought maybe I needed to specially compile in GeoIP support like I read about here:   https://qosient.com/argus/geolocation.shtml
> 
>                 but when I run "./configure --with-GeoIP=yes" it throws this error:
> 
>                         configure: WARNING: unrecognized options: --with-GeoIP
> 
>                 However, I presume the fact that ASN lookups work means that MaxMind GeoIP support libraries are already installed, and presumably installed by default in the latest argus now.
> 
>                 
> 
>                 # ra -r /argus/today/unt-01.arg -w - | ralabel -f /etc/ralabel.conf -r - -s sas,das,scity,dcity,icity | head -n20
> 
>                    sAS    dAS
> 
>                   4323
> 
>                   4323
> 
>                   4323
> 
>                  22927   4323
> 
>                   6582   4323
> 
>                   7018   4323
> 
>                   4323      3
> 
>                   4323
> 
>                   4323  15169
> 
>                   4323
> 
>                   4323
> 
>                   4323  15169
> 
>                   4323  21928
> 
>                   2828   4323
> 
>                 
> 
>                 Any thoughts on what I am missing or how I might further debug this issue?
> 
>                 
> 
>                 Thanks!
> 
>                 Kevin
> 
>          
> -----BEGIN PGP SIGNATURE-----
> 
> iF0EARECAB0WIQQP+UHquEepll566aqXCCyZOY1FIQUCW67X6gAKCRCXCCyZOY1F 
> IdLwAKDv6tPpe7OwLBEEfM1YTnAD8MxZCgCeOlGEEuEIUvqlyIMh8CPBWctmBd0= 
> =p/tg 
> -----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180929/f1eaa007/attachment.html>


More information about the argus mailing list