# # Argus Client Software # Copyright (c) 2000-2012 QoSient, LLC # All rights reserved. # # # RaLabel Configuration # # Carter Bullard # QoSient, LLC # # This configuration is a ralabel(1) configuration file. # # The concept is to provide a number of labeling strategies # with configuration capabilities for each of the labelers. # This allows the user to specify the order of the labeling, # which is provided to support hierarchical labeling. # # Here is a valid and simple configuration file. It doesn't do # anything in particular, but it is one that is used at some sites. # # Supported Labeling Strategies # Addresss Based Classification # Address based classifications involve building a patricia tree # that we can hang labels against. The strategy is to order the # address label configuration files, to develop a hierarchical # label scheme. # # IANA IPv4 and IPv6 Address Classification Labeling # # The type of IP network address can be used by many analysis # programs to make decisions. While IANA standard classifications # don't change, this type of classification should be extendable # to allow local sites to provide additional labeling capabilities. #RALABEL_IANA_ADDRESS=yes #RALABEL_IANA_ADDRESS_FILE="/home/sebas/calipso/aplics/traffic-analisis/argus/argus-clients-3.0.7.7/support/Config/iana-address-file" #RALABEL_IANA_ADDRESS_FILE="/home/sebas/calipso/aplics/traffic-analisis/argus/argus-clients-3.0.7.7/support/Config/iana-ipv4-address" # Addresss Based Country Code Classification # Address based country code classification leverages the feature # where ra* clients cant print country codes for the IP addresses # that are in a flow record. Country codes are generated from the ARIN # delegated address space files. Specify the location of your # DELEGATED_IP file here, or in your .rarc file (which is default). # # Unlike the GeoIP based country code labeling, these codes can be sorted # filtered and aggregated, so if you want to do that type of operations # with country codes, enable this feature here. # #RALABEL_ARIN_COUNTRY_CODES=yes #RA_DELEGATED_IP="/home/sebas/calipso/aplics/traffic-analisis/argus/argus-clients-3.0.7.7/support/Config/delegated-ipv4-latest" # BIND Based Classification # BIND services provide address to name translations, and these # reverse lookup strategies can provide FQDN labels, or domain # labels that can be added to flow. The IP addresses that can be # 'labeled' are the saddr, daddr, or inode. Keywords "yes" and "all" # are synonomous and result in labeling all three IP addresses. # # Use this strategy to provide transient semantic enhancement based # on ip address values. # #RALABEL_BIND_NAME="all" # Port Based Classification # Port based classifications involves simple assignment of a text # label to a specific port number. While IANA standard classifications # are supported throught the Unix /etc/services file assignments, # and the basic "src port" and "dst port" ra* filter schemes, # this scheme is used to enhance/modify that labeling strategy. # The text associated with a port number is placed in the metadata # label field, and is searched using the regular expression searching # strategies that are available to label matching. # # Use this strategy to provide transient semantic enhancement based # on port values. # #RALABEL_IANA_PORT=yes #RALABEL_IANA_PORT_FILE="/usr/local/argus/iana-port-numbers" # Flow Filter Based Classification # Flow filter based classification uses the standard flow # filter strategies to provide a general purpose labeling scheme. # The concept is similar to racluster()'s fall through matching # scheme. Fall through the list of filters, if it matches, add the # label. If you want to continue through the list, once there is # a match, add a "cont" to the end of the matching rule. # RALABEL_ARGUS_FLOW=yes RALABEL_ARGUS_FLOW_FILE="ralabel-flowfilter.conf" # GeoIP Based Labeling # The labeling features can use the databases provided by MaxMind # using the GeoIP LGPL libraries. If your code was configured to use # these libraries, then enable the features here. # # GeoIP provides a lot of support for geo-location, configure support # by enabling a feature and providing the appropriate binary data files. # ASN reporting is done from a separate set of data files, obtained from # MaxMind.com, and so enabling this feature is independent of the # traditional city data available. # #RALABEL_GEOIP_ASN=yes #RALABEL_GEOIP_ASN_FILE="/usr/share/ntop/GeoIPASNum.dat" #RALABEL_GEOIP_V6_ASN_FILE="/home/sebas/calipso/aplics/traffic-analisis/argus/GeoIPASNumv6.dat" # # Data for city relevant data is enabled through enabling and configuring # the city database support. The types of data available are: # country_code, country_code3, country_name, region, city, postal_code, # latitude, longitude, metro_code, area_code and continent_code. # time_offset is also available. # # The concept is that you should be able to add semantics for any # IP address that is in the argus record. Support addresses are: # # saddr, daddr, inode # # The labels provided will be tagged as: # scity, dcity, icity # # To configure what you want to have placed in the label, use the list of # objects, in whatever order you like, as the RALABEL_GEOPIP_CITY string # using these keywords: # cco - country_code # cco3 - country_code3 # cname - country_name # reg - region # city - city # pcode - postal_code # lat - latitude # long - longitude # metro - metro_code # area - area_code # cont - continent_code # off - GMT time offset # # Working examples could be: # RALABEL_GEOIP_CITY="saddr,daddr:lat/lon" # RALABEL_GEOIP_CITY="*:city,region,cname,lat,lon" # #RALABEL_GEOIP_CITY="saddr,daddr,inode:off,cont,lat,lon" #RALABEL_GEOIP_CITY_FILE="/usr/share/GeoIP/GeoIP.dat" #RALABEL_GEOIP_V6_CITY_FILE="/usr/share/GeoIP/GeoIPv6.dat"