[ARGUS] Argus importing zeek data

[Carter Bullard]

Gentle persons,
I’ve pushed new code to the GitHub openargus clients repo, https://github.com/openargus/clients <https://github.com/openargus/clients> , and bumped the version to 3.0.8.4.
This specific push adds foreign flow data imports using raconvert.1, and I’ve added a raconvert.zeek.conf that enables raconvert.1 to read zeek conn logs.

To convert a zeek conn log to argus binary:
   % raconvert -f raconvert.zeek.conf -r zeek.conn.log -w argus.file

The provided raconvert.zeek.conf conversion map, maps all of the zeek fields that I had available.  The conversion map is pretty chunky, as you need to specify the allowed key, value pairs, specify types, and identify where in an argus record the data will go …  If there isn’t a native argus attribute for the zeek field, say the “uid”, raconvert.1 can map the key, value pair it to the argus label, which you can filter, search, etc ….

Converting zeek json data to argus binary reduces the size of the files by 2.5:1 or about 1/3rd.  And gzip’d argus binaries are smaller than gzip’d json zeek.conn.logs, by around 1.3:1 … not much but it is not worse :O)

Converting the zeek logs to argus enables processing zeek data with argus clients programs like racluster.1, say if you want to generate baselines, or to generate different views.  The clients enable you to add country codes, and ASNs for addresses simply, and I like using rafilteraddr.1 with address lists from 3rd party intelligence like Firehol to check to see if the zeek data has any reputation hits ... and you can of course view the data with ratop.1 …

Please grab this client code and test it out, if interested …

I would love any opinions about the new GitHub software approach.  If you have any suggestions, please email the list or to me ...
Hope all is most excellent,

Carter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20220327/bdbf7f3f/attachment.htm>