CS Lee | 1 Jun 08:02 2012
Picon

ralabel

hi Carter,


Has you updated ralabel, it doesn't seem to work on version 3.0.6.1, when I run 

/usr/local/stow/argusc-3.0.6.1/bin/ralabel -f /nsmon/etc/ralabel.conf -S 10.10.10.1:561 -w - | ra -n -s stime proto saddr sport dir daddr dport state sco dco sas das
   12:28:55.523218    udp      1.2.3.4.64507    <->       15.15.15.15.53       CON
   12:28:55.597702    udp      1.2.3.4.32771    <-       2.3.4.5.53       RSP
   12:28:55.647515    udp      1.2.3.4.60581    <->       15.15.15.15.53       CON

You can see nothing shows up, if I use 3.0.5.34, it seems to be working. My ralabel.conf has these few lines enabled

RALABEL_ARIN_COUNTRY_CODES=yes
RA_DELEGATED_IP="/nsmon/file/delegated-ipv4-latest"
RALABEL_GEOIP_ASN=yes
RALABEL_GEOIP_ASN_FILE="/nsmon/file/GeoIPASNum.dat"

Cheers!

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
CS Lee | 1 Jun 12:04 2012
Picon

rasqlinsert

hi Carter,


I use rasqlinsert to insert the data into mysql database, however when I check, it seems I have this issue -

mysql> select saddr,sport,daddr,dport from tbl_argus where proto='tcp' limit 10;
+-------------+-------+-------------+-------+
| saddr       | sport | daddr       | dport |
+-------------+-------+-------------+-------+
| %T.0.000000 | 1034  | %T.0.000000 | 64985 |
| %T.0.000000 | 1070  | %T.0.000000 | 59292 |
| %T.0.000000 | 1072  | %T.0.000000 | 46579 |
| %T.0.000000 | 1084  | %T.0.000000 | 10942 |
| %T.0.000000 | 10864 | %T.0.000000 | 80    |
| %T.0.000000 | 1104  | %T.0.000000 | 445   |
| %T.0.000000 | 1110  | %T.0.000000 | 51413 |
| %T.0.000000 | 11104 | %T.0.000000 | 80    |
| %T.0.000000 | 11105 | %T.0.000000 | 80    |
| %T.0.000000 | 11106 | %T.0.000000 | 80    |
+-------------+-------+-------------+-------+
10 rows in set (0.00 sec)

It was alright with older version of rasqlinsert last time, this is really odd. And when using rasql it retrieves the data correctly -

rasql -r mysql://localhost/argusdb/argus_table -s saddr daddr
1.2.3.4 2.3.4.5
1.2.3.4 5.6.7.8

Maybe some conversion is done in between? I really need the data to be understand by mysql command so that can perform analysis using mysql query and reporting.

Cheers!

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
Carter Bullard | 1 Jun 15:37 2012

Re: What happened to anomaly detection/packet dynamics? Are there clients?

Hey Matt,
Anomaly detection is a very large topic, but the principal concept in argus is to provide
a good number of generic tools, so you can build your own anomaly detectors.  So,
we use the Unix strategy of small programs (sorting, printing, filtering, translation, conversion,
aggregation) and piping, native file systems, curses examples, with dbm support etc……

So what anomaly do you want to detect ?  Do you want to know when a vital resource 
successfully transfers data to an address that is outside its normal group of machines?
Do you want to find out once a day, in real-time?

That's pretty trivial and we have multiple ways of doing it.   Use racluster() to build the
list of acceptable addresses from an argus archive (behavioral baselining) , then use
rafilteraddr() with that list, connected to a live argus data feed, to spit out records from
machines outside the group.  Pipe that to ra() with a decent filter, like " icmp or app bytes
gt 0 ", and you should get a list of machines outside the acceptable list that got responses
from your vital asset.

Or use rasqlinsert() to build a read only database of the historical IP addresses, or
you can use rasqlinsert() to dynamically insert IP addresses into a table of acceptable IPs.
Then use a modified rasqlinsert() with the "-M cache" option, to tell you when it would
want to INSERT a record, which is your alarm / alert that something outside the acceptable
group tried to touch your machine.  You can do that for IP's, ethernets, combinations of
both, or whatever.    Of course you would have to put some decent conditionals on this so you
would get a decent alarm, but its pretty straight forward.

But anomaly detection is different from analysis.  Anomaly detection is detection of
a condition outside of a normal state.  Analysis is not so specific.  I have to ask,
what do you want to analyze?

Secondary impact of DDoS on end system availability?  Well that is just racluster().
The presence of DDoS, well that isn't very interesting, but " what was the population
of IP's that were using this system, 20 minutes prior to the DDoS? "  Well that is 
rasql() (if you were doing the IP address strategy above) with a time filter, piped
into racluster() with a decent filter to pick out flows that are transferring data.
pipe that into racluster() to formulate the /24 CIDR network addresses, and you
should have a list of remote class C ip addresses that were good, which you can
blow into your firewall for a little while.

I suspect that there are hundreds of these things, especially if there are hundreds of sites.

But the important question to you is,  What do you want to do?

Many people want the project to tell them what to do, but in this space, IMHO, that
isn't really successful.  You need to have an idea of what is important to your specific
site, and then you find tools that can help you get there.

So, what do you want to do?

Carter

On May 31, 2012, at 10:51 AM, Matt Brown wrote:

Thanks for replying Carter.

I suppose I can't easily find any strategies.  Meaning, I've read a few papers on anomaly detection algorithms, and would love to use them.  However, I lack the deep mathematically and development skills to implement.

So, I suppose I am actually asking where are the analysis tools?  Is there a repo qosient keeps?

Thanks again for the reply,

Matt Brown

On May 31, 2012 10:13 AM, "Carter Bullard" <carter <at> qosient.com> wrote:
Hey Matt,
Most people do their own thing.  We have lots of examples of things to do,
scan detection, access policy monitoring, covert channel detection, discovery detection,
asset inventory assessments, behavioral baselining, and with events, you have the
basic data for user / flow attribution etc……

So I think its happening.  What do you expect to see that you aren't seeing?

Carter

On May 30, 2012, at 8:12 PM, Matt Brown wrote:

Hello all,

After some research, it's quite obvious that argus output can be used as input for anomaly detection.

Carter was involved in a presentation at flocon 2012 that mentions a few cases of analysis: http://www.cert.org/flocon/2012/presentations/bullard-gerth-implementing-packet-dynamic-awareness-argus.pdf

I also see that argus is mentioned in another presentation at cmu: http://www.andrew.cmu.edu/user/gnychis/imcfp04-nychis-slides.pdf


What ever happened to this?  Are there any plans to write a client that can perform some simple anomaly or other analysis?


Thanks,

Matt


Carter Bullard | 1 Jun 16:07 2012

Re: Issue with Argus-3-0-6 server over CYGWIN (Windows XP)

Hey Cristian,
I apologize that I have not been in a position to test your problem yet.
I should have access to a windows machine on monday, and should be
able to test then.

Sorry for any inconvenience.

Carter

On May 29, 2012, at 1:45 PM, Carter Bullard wrote:

Well, I'll work on this tomorrow, and try to figure out what happened to CYGWIN.
Sorry for the delay.

Do send the email to the argus mailing list, rather than argus <at> qosient.com.
I don't check that email queue very often, and rarely respond,

Carter

On May 29, 2012, at 1:40 PM, Cristian G. Farias wrote:

<!-- /* Font Definitions */ <at> font-face {font-family:Helvetica; panose-1:2 11 6 4 2 2 2 2 2 4;} <at> font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} <at> font-face {font-family:"Lucida Console"; panose-1:2 11 6 9 4 5 4 2 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:blue; text-decoration:underline;} span.EstiloCorreo17 {mso-style-type:personal; font-family:Arial; color:navy;} span.EstiloCorreo18 {mso-style-type:personal-reply; font-family:Arial; color:navy;} <at> page Section1 {size:595.3pt 841.9pt; margin:70.85pt 3.0cm 70.85pt 3.0cm;} div.Section1 {page:Section1;} -->

Thanks Carter,

 

It don’t works

 

CTI4121 <at> 9XFMDG1 ~

$ argus -i 1 -r CM_mezclado.pcap -w salida.arg

argus: PID 7304: 29 May 12 14:36:56.234375 setArgusDevice: no interfaces

 

CTI4121 <at> 9XFMDG1 ~

$ argus -i 2 -r CM_mezclado.pcap -w salida.arg

argus: PID 9860: 29 May 12 14:37:22.593750 setArgusDevice: no interfaces

 

CTI4121 <at> 9XFMDG1 ~

$ argus -i 3 -r CM_mezclado.pcap -w salida.arg

argus: PID 480: 29 May 12 14:37:29.593750 setArgusDevice: no interfaces

 

CTI4121 <at> 9XFMDG1 ~

$ argus -i 4 -r CM_mezclado.pcap -w salida.arg

argus: PID 3208: 29 May 12 14:37:36.187500 setArgusDevice: no interfaces

 

CTI4121 <at> 9XFMDG1 ~

$ argus -i 0 -r CM_mezclado.pcap -w salida.arg

argus: PID 5340: 29 May 12 14:37:42.718750 setArgusDevice: no interfaces

 

C

 

 

De: Carter Bullard [mailto:carter <at> qosient.com]
Enviado el: Martes, 29 de Mayo de 2012 02:15 p.m.
Para: Cristian G. Farias
Asunto: Re: Issue with Argus-3-0-6 server over CYGWIN (Windows XP)

 

Hey Cristian,

Sorry for the delayed response.  You need to send these to the argus mailing list to get

a reasonable response.  Did you try adding an interface number?

   ./bin/argus -i 1 -r …….

 

Carter

 

On May 15, 2012, at 4:22 PM, Cristian G. Farias wrote:



Carter,

 

I build the argus-3.0.4 in CYGWIN (Windows XP), but it show me the same output:

 

$ pwd

/argus-3.0.4

 

$ ./bin/argus -r /home/cti4121/CM_mezclado.pcap -w /home/cti4121/salida.arg

argus: PID 9892: 15 May 12 17:19:55.921875 setArgusDevice: no interfaces

 

Regards,

 

 

De: Carter Bullard [mailto:carter <at> qosient.com]
Enviado el: Martes, 15 de Mayo de 2012 11:47 a.m.
Para: Cristian G. Farias
CC: argus <at> qosient.com
Asunto: Re: Issue with Argus-3-0-6 server over CYGWIN (Windows XP)

 

I'm sorry for the inconvenience, but I'll have to work on this tomorrow.

I didn't test the Cygwin stuff at all, and didn't realize we had broken it

before it went out.  

 

argus-3.0.4 should work fine, however, and the argus-clients-3.0.6 work

very well with that version of argus.

 

Carter 

 

On May 14, 2012, at 9:54 PM, Cristian G. Farias wrote:




Carter,

It showme the error and return me the prompt

$ pwd
/argus-3.0.6

$ ./bin/argus -Xr /home/cti4121/CM_mezclado.pcap -w /home/cti4121/salida.arg
argus: PID 8900: 14 May 12 22:53:06.203125 setArgusDevice: no interfaces

Regards,


-----Mensaje original-----
De: Carter Bullard [mailto:carter <at> qosient.com]
Enviado el: Lunes, 14 de Mayo de 2012 06:27 p.m.
Para: Cristian G. Farias
CC: argus <at> qosient.com
Asunto: Re: Issue with Argus-3-0-6 server over CYGWIN (Windows XP)

Hey Christian,
To run this command you shouldn't need anything defined in the argus.conf
for the interface.  What does this do?

  ./bin/argus -Xr /home/cti4121/CM_mezclado.pcap -w /home/cti4121/salida.arg

Carter


On May 14, 2012, at 3:32 PM, Cristian G. Farias wrote:



Ok Carter,

 

I change the next line between range 1 to 5, in the file /etc/argus.conf

 

ARGUS_INTERFACE=1

 

But when executing argus command, it response in same way as below:

 

$ pwd

/argus-3.0.6

 

 

$ ./bin/argus -r /home/cti4121/CM_mezclado.pcap -w /home/cti4121/salida.arg

argus: PID 6868: 14 May 12 16:28:50.203125 setArgusDevice: no interfaces

 

 

 

De: Carter Bullard [mailto:carter <at> qosient.com]

Enviado el: Lunes, 14 de Mayo de 2012 04:01 p.m.

Para: Cristian G. Farias

CC: argus <at> qosient.com

Asunto: Re: Issue with Argus-3-0-6 server over CYGWIN (Windows XP)

 

Hmmmm, yes, I see the problem.  I'll have to make some code changes to

turn that back on.

 

There are 2 ways to specify interfaces in argus.conf or on the command line.

either through the standard interface name, which you can find in the registry, or

using the index number of the interface.  For example, in my argus.conf on my

Windows 7 machine, the entry is:

 

ARGUS_INTERFACE=1

 

This is the wireless interface on my laptop.  Try using a few index numbers

until I can turn on interface reporting again.

 

Carter

 

 

 

On May 14, 2012, at 2:06 PM, Cristian G. Farias wrote:

 

 

Carter,

 

I have builded Argus Server 3.0.6 over CYGWIN (Windos XP)

But when a executed argus.exe it it doesn't display the interface number (it does display nothing)

I don't have /etc/argus.conf

 

 

In some post I find you recommend to added this patch

I replace the next line y argus_code.c:

 

        FD_ZERO (&readmask);

 

With the next code post for you:

 

       found = 0;

       up = 0;

       FD_ZERO(&ArgusReadMask);

 

       for (i = 0; i < src->ArgusInterfaces; i++) {

                   if (src->ArgusInterface[i].ArgusPd && (pcap_fileno(src->ArgusInterface[i].ArgusPd) >= 0)) {

                      found++;

                      wait.tv_sec = 0; wait.tv_usec = 200000;

                   }

                   if (!found)

                      break;

       }

 

 

But result in the same way

 

 

 

 

$ pwd

/argus-3.0.6

 

$ ./bin/argus

argus: PID 7084: 14 May 12 15:05:27.953125 started

 

 

$ gdb bin/argus

GNU gdb (GDB) 7.3.50.20111026-cvs (cygwin-special)

Copyright (C) 2011 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "i686-cygwin".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>...

Reading symbols from /argus-3.0.6/bin/argus...done.

(gdb) run

Starting program: /argus-3.0.6/bin/argus

[New Thread 4012.0x1230]

[New Thread 4012.0x1d10]

[New Thread 4012.0x13d0]

[New Thread 4012.0x11fc]

[New Thread 4012.0x23cc]

argus: PID 4012: 14 May 12 15:04:13.031250 started

[New Thread 4012.0x14a8]

[Inferior 1 (process 4012) exited normally]

(gdb) Quit

(gdb)

 

 

 

 

 

 

Cristian,

 

 

 

*******************************************************************************************

 

Este mensaje y todos los archivos adjuntos a el son para uso exclusivo del destinatario y pueden contener informacion confidencial o propietaria, cuya divulgacion es sancionada por  ley.

 

Si usted recibio este mensaje erroneamente, por favor notifiquenos respondiendo al remitente, borre el mensaje original y destruya las copias (impresas o grabadas en cualquier medio magnetico) que pueda haber realizado del mismo.

 

Todas las opiniones contenidas en este mail son propias del autor del mensaje y no necesariamente coinciden con las de Claro o alguna de las empresas accionistas. La publicacion, uso, copia e impresion total o parcial de este mensaje o documentos adjuntos queda prohibida.

 

*******************************************************************************************

 

This message and any attachments are for exclusive usage of an addressee and may contain confidential or privileged information whose disclosure is subject to penalty by law.

 

If you are not the addressee, please notify the sender by return e-mail, delete the original message and destroy any existing copy no matter if printed or recorded.

 

Any opinions contained in this e-mail are those of the author of the message and do not necessarily coincide with those of Claro or its shareholders. No part of this message or attachments may be used or reproduced in any manner whatsoever.

 

 

 

 

 



Carter Bullard | 1 Jun 16:12 2012

Re: rasqlinsert

Hey CS Lee,
So, this would be a bug.  rasql() reads the argus record that is stored in the
data base, which is good data, but looks like the strings to print out the saddr
and daddr attributes for the database table are messed up.

Because the argus data is good, recovering the database should be easy.

   rasql -r mysql://localhost/argusdb/argus_table -w argus.data
   rasqlinsert -r argus.data -w mysql://localhost/testdb/argus_table -s srcid saddr sport daddr dport proto

How are you calling rasqlinsert, and what are the print fields in your .rarc ?

Carter

On Jun 1, 2012, at 6:04 AM, CS Lee wrote:

hi Carter,

I use rasqlinsert to insert the data into mysql database, however when I check, it seems I have this issue -

mysql> select saddr,sport,daddr,dport from tbl_argus where proto='tcp' limit 10;
+-------------+-------+-------------+-------+
| saddr       | sport | daddr       | dport |
+-------------+-------+-------------+-------+
| %T.0.000000 | 1034  | %T.0.000000 | 64985 |
| %T.0.000000 | 1070  | %T.0.000000 | 59292 |
| %T.0.000000 | 1072  | %T.0.000000 | 46579 |
| %T.0.000000 | 1084  | %T.0.000000 | 10942 |
| %T.0.000000 | 10864 | %T.0.000000 | 80    |
| %T.0.000000 | 1104  | %T.0.000000 | 445   |
| %T.0.000000 | 1110  | %T.0.000000 | 51413 |
| %T.0.000000 | 11104 | %T.0.000000 | 80    |
| %T.0.000000 | 11105 | %T.0.000000 | 80    |
| %T.0.000000 | 11106 | %T.0.000000 | 80    |
+-------------+-------+-------------+-------+
10 rows in set (0.00 sec)

It was alright with older version of rasqlinsert last time, this is really odd. And when using rasql it retrieves the data correctly -

1.2.3.4 2.3.4.5
1.2.3.4 5.6.7.8

Maybe some conversion is done in between? I really need the data to be understand by mysql command so that can perform analysis using mysql query and reporting.

Cheers!

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net

Carter Bullard | 1 Jun 16:21 2012

Re: ralabel

Hey CS Lee,
This is what I'm getting with your configuration using ratable() from argus-clients-3.0.6 (the version on this particular machine).
I modified the paths so that they pointed to the files on my machine.

MeinTing:argus carter$ ralabel -f /tmp/ralabel.conf -D3 -S localhost -s +sco +dco +sas +das
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.451402 ArgusAddHostList (0xf5b3000, localhost, 1, 6) returning 1
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.913850 RaReadAddressConfig (0xf5b3000, 0x22401930, /usr/local/argus/delegated-ipv4-latest) returning 1
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.914432 RaLabelParseResourceFile (/tmp/ralabel.conf) returning 0
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.915113 main: reading files completed
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.915577 Trying ::1 port 561 Expecting Argus records
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.915704 connected
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.915721 ArgusGetServerSocket (0x10f676000) returning 7
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.930995 ArgusReadConnection() read 16 bytes
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.947321 ArgusInitAddrtoname (0xf5b3000, 0x0, 0x0)
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.947345 ArgusParseInit(0xf5b3000 0xf676000
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.947384 ArgusWriteConnection(0xf676000, 0x6eae97e0, 7) returning 7
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.947396 ArgusReadConnection(0xf676000, 2) returning 1
ralabel[90016.60e93d75ff7f0000]: 2012/06/01.10:17:04.947412 ArgusReadStream(0x10f5b3000) starting
                 StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  SrcPkts  DstPkts     SrcBytes     DstBytes State sCo dCo   sAS   dAS 
2012/06/01.10:17:00.348822  e          icmp           10.0.1.5.0x0008   <->         198.41.0.4.0x5e72        1        1           98           98   ECO  ZZ  US  9304 26415
2012/06/01.10:17:00.404013  e           udp           10.0.1.5.52057    <->         198.41.0.4.domain        1        1           78          540   CON  ZZ  US  9304 26415
2012/06/01.10:17:00.459639  e          icmp           10.0.1.5.0x0008   <->         198.41.0.4.0x5e77        1        1           98           98   ECO  ZZ  US  9304 26415
2012/06/01.10:17:00.516315  e           udp           10.0.1.5.58510    <->         198.41.0.4.domain        1        1           74          546   CON  ZZ  US  9304 26415
2012/06/01.10:17:00.617045  e          icmp           10.0.1.5.0x0008   <->         192.5.6.30.0x5ea0        1        1           98           98   ECO  ZZ  US  9304 36621
2012/06/01.10:17:00.696618  e           udp           10.0.1.5.62677    <->         192.5.6.30.domain        1        1           77          472   CON  ZZ  US  9304 36621
2012/06/01.10:17:00.773827  e          icmp           10.0.1.5.0x0008   <->         192.5.6.30.0x5ea5        1        1           98           98   ECO  ZZ  US  9304 36621
2012/06/01.10:17:00.853761  e           udp           10.0.1.5.64593    <->         192.5.6.30.domain        1        1           71          194   CON  ZZ  US  9304 36621
2012/06/01.10:17:00.930874  e          icmp           10.0.1.5.0x0008   <->         192.5.6.30.0x5eaa        1        1           98           98   ECO  ZZ  US  9304 36621
2012/06/01.10:17:01.027358  e           udp           10.0.1.5.64552    <->         192.5.6.30.domain        1        1           76          378   CON  ZZ  US  9304 36621
2012/06/01.10:17:01.109282  e          icmp           10.0.1.5.0x0008   <->          128.2.1.8.0x5eb2        1        1           98           98   ECO  ZZ  US  9304     9
2012/06/01.10:17:01.159341  e           udp           10.0.1.5.55848    <->          128.2.1.8.domain        1        1           79          175   CON  ZZ  US  9304     9
2012/06/01.10:17:01.207815  e          icmp           10.0.1.5.0x0008   <->          128.2.1.8.0x5eb7        1        1           98           98   ECO  ZZ  US  9304     9
2012/06/01.10:17:01.258176  e           udp           10.0.1.5.56010    <->          128.2.1.8.domain        1        1           82          230   CON  ZZ  US  9304     9
2012/06/01.10:17:01.303089  e          icmp           10.0.1.5.0x0008   <->       128.32.136.3.0x5ebc        1        1           98           98   ECO  ZZ  US  9304    25
2012/06/01.10:17:01.408268  e           udp           10.0.1.5.65066    <->       128.32.136.3.domain        1        1           78          430   CON  ZZ  US  9304    25
2012/06/01.10:17:01.507908  e          icmp           10.0.1.5.0x0008   <->       128.32.136.3.0x5ec1        1        1           98           98   ECO  ZZ  US  9304    25
2012/06/01.10:17:01.613547  e           udp           10.0.1.5.54108    <->       128.32.136.3.domain        1        1           80          263   CON  ZZ  US  9304    25

So I'm getting stuff.  Do you have files in the appropriate places ?  /nsmon/file/ ?
Carter


On Jun 1, 2012, at 2:02 AM, CS Lee wrote:

hi Carter,

Has you updated ralabel, it doesn't seem to work on version 3.0.6.1, when I run 

/usr/local/stow/argusc-3.0.6.1/bin/ralabel -f /nsmon/etc/ralabel.conf -S 10.10.10.1:561 -w - | ra -n -s stime proto saddr sport dir daddr dport state sco dco sas das
   12:28:55.523218    udp      1.2.3.4.64507    <->       15.15.15.15.53       CON
   12:28:55.597702    udp      1.2.3.4.32771    <-       2.3.4.5.53       RSP
   12:28:55.647515    udp      1.2.3.4.60581    <->       15.15.15.15.53       CON

You can see nothing shows up, if I use 3.0.5.34, it seems to be working. My ralabel.conf has these few lines enabled

RALABEL_ARIN_COUNTRY_CODES=yes
RA_DELEGATED_IP="/nsmon/file/delegated-ipv4-latest"
RALABEL_GEOIP_ASN=yes
RALABEL_GEOIP_ASN_FILE="/nsmon/file/GeoIPASNum.dat"

Cheers!

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net

Carter Bullard | 1 Jun 16:32 2012

Re: ralabel

Hey CS Lee,
So, I just tested the 3.0.6.1 patch, and it does seem to break the AS labeling,
so back up to argus-clients-3.0.6 until I can figure out what I did.

Carter

On Jun 1, 2012, at 2:02 AM, CS Lee wrote:

hi Carter,

Has you updated ralabel, it doesn't seem to work on version 3.0.6.1, when I run 

/usr/local/stow/argusc-3.0.6.1/bin/ralabel -f /nsmon/etc/ralabel.conf -S 10.10.10.1:561 -w - | ra -n -s stime proto saddr sport dir daddr dport state sco dco sas das
   12:28:55.523218    udp      1.2.3.4.64507    <->       15.15.15.15.53       CON
   12:28:55.597702    udp      1.2.3.4.32771    <-       2.3.4.5.53       RSP
   12:28:55.647515    udp      1.2.3.4.60581    <->       15.15.15.15.53       CON

You can see nothing shows up, if I use 3.0.5.34, it seems to be working. My ralabel.conf has these few lines enabled

RALABEL_ARIN_COUNTRY_CODES=yes
RA_DELEGATED_IP="/nsmon/file/delegated-ipv4-latest"
RALABEL_GEOIP_ASN=yes
RALABEL_GEOIP_ASN_FILE="/nsmon/file/GeoIPASNum.dat"

Cheers!

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net

CS Lee | 1 Jun 16:48 2012
Picon

Re: ralabel

hi Carter,


I made the test, as I have multiple version of argus in my box for testing I forgot the specify the path for the argus client version I want, so basically the data insert into database for saddr and daddr are correct in 3.0.6.1, the issue is the ralabel part in argus 3.0.6.1.

Another issue I'm now looking at is actually bumping suser and duser into db, i see some errors when trying to insert suser and duser data into mysql, however I will report once i have confirmed about it.

Thanks for quick response, cheers ;)


On Fri, Jun 1, 2012 at 10:32 PM, Carter Bullard <carter <at> qosient.com> wrote:
Hey CS Lee,
So, I just tested the 3.0.6.1 patch, and it does seem to break the AS labeling,
so back up to argus-clients-3.0.6 until I can figure out what I did.

Carter

On Jun 1, 2012, at 2:02 AM, CS Lee wrote:

hi Carter,

Has you updated ralabel, it doesn't seem to work on version 3.0.6.1, when I run 

/usr/local/stow/argusc-3.0.6.1/bin/ralabel -f /nsmon/etc/ralabel.conf -S 10.10.10.1:561 -w - | ra -n -s stime proto saddr sport dir daddr dport state sco dco sas das
   12:28:55.523218    udp      1.2.3.4.64507    <->       15.15.15.15.53       CON
   12:28:55.597702    udp      1.2.3.4.32771    <-       2.3.4.5.53       RSP
   12:28:55.647515    udp      1.2.3.4.60581    <->       15.15.15.15.53       CON

You can see nothing shows up, if I use 3.0.5.34, it seems to be working. My ralabel.conf has these few lines enabled

RALABEL_ARIN_COUNTRY_CODES=yes
RA_DELEGATED_IP="/nsmon/file/delegated-ipv4-latest"
RALABEL_GEOIP_ASN=yes
RALABEL_GEOIP_ASN_FILE="/nsmon/file/GeoIPASNum.dat"

Cheers!

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net




--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
Carter Bullard | 1 Jun 16:53 2012

Re: ralabel

Hey CS Lee,
I'm sure that we don't escape some the ascii sequences that could be in the user buffers that mysql doesn't like,
like  '  " ' which may terminate the string.  If you confirm this, I'll try to fix it quickly, but I'm not sure of
the complete list of chars that mysql would want escaped.

Carter

On Jun 1, 2012, at 10:48 AM, CS Lee wrote:

hi Carter,

I made the test, as I have multiple version of argus in my box for testing I forgot the specify the path for the argus client version I want, so basically the data insert into database for saddr and daddr are correct in 3.0.6.1, the issue is the ralabel part in argus 3.0.6.1.

Another issue I'm now looking at is actually bumping suser and duser into db, i see some errors when trying to insert suser and duser data into mysql, however I will report once i have confirmed about it.

Thanks for quick response, cheers ;)


On Fri, Jun 1, 2012 at 10:32 PM, Carter Bullard <carter <at> qosient.com> wrote:
Hey CS Lee,
So, I just tested the 3.0.6.1 patch, and it does seem to break the AS labeling,
so back up to argus-clients-3.0.6 until I can figure out what I did.

Carter

On Jun 1, 2012, at 2:02 AM, CS Lee wrote:

hi Carter,

Has you updated ralabel, it doesn't seem to work on version 3.0.6.1, when I run 

/usr/local/stow/argusc-3.0.6.1/bin/ralabel -f /nsmon/etc/ralabel.conf -S 10.10.10.1:561 -w - | ra -n -s stime proto saddr sport dir daddr dport state sco dco sas das
   12:28:55.523218    udp      1.2.3.4.64507    <->       15.15.15.15.53       CON
   12:28:55.597702    udp      1.2.3.4.32771    <-       2.3.4.5.53       RSP
   12:28:55.647515    udp      1.2.3.4.60581    <->       15.15.15.15.53       CON

You can see nothing shows up, if I use 3.0.5.34, it seems to be working. My ralabel.conf has these few lines enabled

RALABEL_ARIN_COUNTRY_CODES=yes
RA_DELEGATED_IP="/nsmon/file/delegated-ipv4-latest"
RALABEL_GEOIP_ASN=yes
RALABEL_GEOIP_ASN_FILE="/nsmon/file/GeoIPASNum.dat"

Cheers!

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net




--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net

CS Lee | 1 Jun 17:12 2012
Picon

Re: ralabel

hi Carter,


Let me test now and show you the error when it shows up.

On Fri, Jun 1, 2012 at 10:53 PM, Carter Bullard <carter <at> qosient.com> wrote:
Hey CS Lee,
I'm sure that we don't escape some the ascii sequences that could be in the user buffers that mysql doesn't like,
like  '  " ' which may terminate the string.  If you confirm this, I'll try to fix it quickly, but I'm not sure of
the complete list of chars that mysql would want escaped.

Carter

On Jun 1, 2012, at 10:48 AM, CS Lee wrote:

hi Carter,

I made the test, as I have multiple version of argus in my box for testing I forgot the specify the path for the argus client version I want, so basically the data insert into database for saddr and daddr are correct in 3.0.6.1, the issue is the ralabel part in argus 3.0.6.1.

Another issue I'm now looking at is actually bumping suser and duser into db, i see some errors when trying to insert suser and duser data into mysql, however I will report once i have confirmed about it.

Thanks for quick response, cheers ;)


On Fri, Jun 1, 2012 at 10:32 PM, Carter Bullard <carter <at> qosient.com> wrote:
Hey CS Lee,
So, I just tested the 3.0.6.1 patch, and it does seem to break the AS labeling,
so back up to argus-clients-3.0.6 until I can figure out what I did.

Carter

On Jun 1, 2012, at 2:02 AM, CS Lee wrote:

hi Carter,

Has you updated ralabel, it doesn't seem to work on version 3.0.6.1, when I run 

/usr/local/stow/argusc-3.0.6.1/bin/ralabel -f /nsmon/etc/ralabel.conf -S 10.10.10.1:561 -w - | ra -n -s stime proto saddr sport dir daddr dport state sco dco sas das
   12:28:55.523218    udp      1.2.3.4.64507    <->       15.15.15.15.53       CON
   12:28:55.597702    udp      1.2.3.4.32771    <-       2.3.4.5.53       RSP
   12:28:55.647515    udp      1.2.3.4.60581    <->       15.15.15.15.53       CON

You can see nothing shows up, if I use 3.0.5.34, it seems to be working. My ralabel.conf has these few lines enabled

RALABEL_ARIN_COUNTRY_CODES=yes
RA_DELEGATED_IP="/nsmon/file/delegated-ipv4-latest"
RALABEL_GEOIP_ASN=yes
RALABEL_GEOIP_ASN_FILE="/nsmon/file/GeoIPASNum.dat"

Cheers!

--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net




--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net




--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net

Gmane