Re: racluster error when using -m none

Hey Pengiran,
racluster() with the "-m none" option should be an error, as there is no aggregation.
racluster() will use a lot of cycles and do nothing with this option.  Just my opinion,
but I think they should complain.

Other pure aggregators should also complain.  While rasqlinsert() and ratop()
offer aggregation, aggregation is not their primary function, so being able to
turn aggregation on and off is supported/required.

So what are you trying to do?

Carter

On Jan 29, 2010, at 10:58 PM, pengiran Awang wrote:

> hello..
> 
> I wanted to turn off the aggregation function so that i will get the data store with out aggregaton. 
> 
> but when i'm using the "-m none" option, i got this error.
> 
> shell> racluster -r argus-id1 -m none
> racluster[13247]: 11:47:16.739104 ArgusClientInit: ArgusNewAggregator error
> 
> 
> when using racluster without "-m none", i got the output on my screen.
> 
> please advice.
> 
> regards,

Re: racluster error when using -m none

Hi pengiran,

IMHO, rather than trying to turn off the aggregation function of racluster using -m none; why not just use
"ra" instead?
That should return you the data stored in your argus file/stream without any aggregation and at the same
time should still support any type of ra* options you have included in your racluster command.

Is there a specific reason you're not using ra for this purpose?

Best regards,
Benet Leong.
ComWorth Co., Ltd.

On Feb 1, 2010, at 11:03 AM, Carter Bullard wrote:

> Hey Pengiran,
> racluster() with the "-m none" option should be an error, as there is no aggregation.
> racluster() will use a lot of cycles and do nothing with this option.  Just my opinion,
> but I think they should complain.
> 
> Other pure aggregators should also complain.  While rasqlinsert() and ratop()
> offer aggregation, aggregation is not their primary function, so being able to
> turn aggregation on and off is supported/required.
> 
> So what are you trying to do?
> 
> Carter
> 
> On Jan 29, 2010, at 10:58 PM, pengiran Awang wrote:
> 

Re: flocon 2010 presentations on the web

On Fri, Jan 22, 2010 at 02:00:43PM -0500, Carter Bullard wrote:
> Gentle people,
> I've updated the argus home page and I've put a list of what I was going
> to do for version 3.0.4.  If you have any ideas, I'd love to include them!!!
> 
<snip>

	We need to fix argusarchive. The one in 3.0.2 is broken and currenly
doesn't seem to do much of anything. I've attached a copy of mine, but it may
have too many bells and whistles for your taste . The one I find most 
useful (at this has been used for years by the traffic scripts) is to use
a file to remember the start time of the data file and use that for the 
archive. The effect of this is that all the files for a day appear in the 
directory for that day rather than starting with the file from 23:00 to 
midnight of the previous day and ending at 23:00 but it does require the
files to keep state (and funny file names to allow for restarts). In any case
attached for consideration. 

Peter Van Epp

#!/bin/sh
#  Argus Software
#  Copyright (c) 2000-2009 QoSient, LLC
#  All rights reserved.
# 
#  QoSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
#  SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
#  FITNESS, IN NO EVENT SHALL QoSIENT, LLC BE LIABLE FOR ANY

rafilteraddr issue

Hello all,

I'm attempting to use rafilteraddr and I must be using it wrong, but there 
isn't any authorative documentation on it.  I'm using argus-clients-3.0.2 
from http://qosient.com/argus/dev/ from the tarball dated 1/26/10.

Right now I'm just attemping to take a file and filter it to get a smaller 
subset of records.  My source file has only a handful of records and 
contains my targeted IP.

I'm running:
rafilteraddr -f filtertest.txt -r /data/argusinput -w /data/argusoutput

with a file containing my one target address.  If I try this command with 
the one line '192.168.1.1' or '192.168.1.1/32', I get the records I 
expect.

If I try '192.168.1.0/24', I get no records back at all that I should.

If I use -vf to invert my results, I get similar behavior.  Filters using 
the /24 are ignored, but entries with the /32 are processed correctly.

If I put more than one record in my filter list, mixing /24s and /32s, the 
/24 records are ignored and the /32s are processed correctly.

Could something be parsing the file wrong?  or am I doing something wrong?

Thanks,
Phil

Re: rafilteraddr issue

Hey Phillip,
rafilteraddr() should do the right thing.
I'll take a look tonight to see if its straightforward.

Carter 

------Original Message------
From: Phillip G Deneault
Sender: argus-info-bounces+carter=qosient.com <at> lists.andrew.cmu.edu
To: Argus
Subject: [ARGUS] rafilteraddr issue
Sent: Feb 3, 2010 10:09 PM

Hello all,

I'm attempting to use rafilteraddr and I must be using it wrong, but there 
isn't any authorative documentation on it.  I'm using argus-clients-3.0.2 
from http://qosient.com/argus/dev/ from the tarball dated 1/26/10.

Right now I'm just attemping to take a file and filter it to get a smaller 
subset of records.  My source file has only a handful of records and 
contains my targeted IP.

I'm running:
rafilteraddr -f filtertest.txt -r /data/argusinput -w /data/argusoutput

with a file containing my one target address.  If I try this command with 
the one line '192.168.1.1' or '192.168.1.1/32', I get the records I 
expect.

Re: rafilteraddr issue

Hey Carter

Thanks for looking at it... any luck yet?

Phil

On 2/3/2010 10:23 PM, carter <at> qosient.com wrote:
> Hey Phillip,
> rafilteraddr() should do the right thing.
> I'll take a look tonight to see if its straightforward.
> 
> Carter 
> 
> ------Original Message------
> From: Phillip G Deneault
> Sender: argus-info-bounces+carter=qosient.com <at> lists.andrew.cmu.edu
> To: Argus
> Subject: [ARGUS] rafilteraddr issue
> Sent: Feb 3, 2010 10:09 PM
> 
> Hello all,
> 
> I'm attempting to use rafilteraddr and I must be using it wrong, but there 
> isn't any authorative documentation on it.  I'm using argus-clients-3.0.2 
> from http://qosient.com/argus/dev/ from the tarball dated 1/26/10.
> 
> Right now I'm just attemping to take a file and filter it to get a smaller 
> subset of records.  My source file has only a handful of records and 
> contains my targeted IP.
> 

Re: rafilteraddr issue

Hey Phillip,
Sorry I haven't responded!!!  So here is where I am on this:

Its not a bug, by default rafilteraddr() matches only exact matches,
and CIDR matches are, of course, not exact matches.

But this, of course, is not what we want.  I believe that I have a solution,
but I need to test it out a bit.

As a work around, I might suggest that you use ralabel() to do what you
want.  As an example, using the sample ralabel.conf and iana-address-file
from the ./support/Config directory in the client distribution, you can take your
address list, and have it insert the label "match" into the flow stream, and
then use ra() to find flows that have the label "match" in them:

   ralabel -f ralabel.conf -r /data/argusinput -w - | ra -M label=match

The ralabel.conf file contains:
   RALABEL_IANA_ADDRESS=yes
   RALABEL_IANA_ADDRESS_FILE="filtertest.txt"

and your filtertest.txt file contains:

   192.168.1.0/24   match

You can make this much more complicated, and so much more than just
filtering with these schemes.   Hopefully it will provide you with a workaround
until I get the fix in. I should have a solution for rafilteraddr() by the weekend?

What do you think?

Re: rafilteraddr issue

On 2/5/2010 2:03 PM, Carter Bullard wrote:
> What do you think?

I think it might be a better solution than using rafilteraddr for what I
ultimately am trying to do. 

I guess I picked rafilteraddr because I was pondering the differences in
speed that would come from a large set of facts to try to match against,
per your comment here:
http://thread.gmane.org/gmane.network.argus/5341/focus=5344

but since I could label flows as they came in, then the processing load
for the label marking would be distributed and the processing load for
the data querying would be limited to just a few columns in the ra
files.  Do you agree?

Thanks!
Phil

On 2/5/2010 2:03 PM, Carter Bullard wrote:
> Hey Phillip,
> Sorry I haven't responded!!!  So here is where I am on this:
> 
> Its not a bug, by default rafilteraddr() matches only exact matches,
> and CIDR matches are, of course, not exact matches.
> 
> But this, of course, is not what we want.  I believe that I have a solution,
> but I need to test it out a bit.
> 
> As a work around, I might suggest that you use ralabel() to do what you

Re: rafilteraddr issue

Re: flocon 2010 presentations on the web

Hey Peter,
I'll add it to the argus-3.0.3 tree.  Do we need any documentation?
Carter

On Feb 2, 2010, at 4:28 PM, Peter Van Epp wrote:

> On Fri, Jan 22, 2010 at 02:00:43PM -0500, Carter Bullard wrote:
>> Gentle people,
>> I've updated the argus home page and I've put a list of what I was going
>> to do for version 3.0.4.  If you have any ideas, I'd love to include them!!!
>> 
> <snip>
> 
> 	We need to fix argusarchive. The one in 3.0.2 is broken and currenly
> doesn't seem to do much of anything. I've attached a copy of mine, but it may
> have too many bells and whistles for your taste . The one I find most 
> useful (at this has been used for years by the traffic scripts) is to use
> a file to remember the start time of the data file and use that for the 
> archive. The effect of this is that all the files for a day appear in the 
> directory for that day rather than starting with the file from 23:00 to 
> midnight of the previous day and ending at 23:00 but it does require the
> files to keep state (and funny file names to allow for restarts). In any case
> attached for consideration. 
> 
> Peter Van Epp
> 
> 
> <argusarchive.new>