bionic (5) ralabel.conf.5.gz

Provided by: argus-client_3.0.8.2-3_amd64 bug

NAME

       ralabel.conf - ralabel resource file.

SYNOPSIS

       ralabel.conf

DESCRIPTION

       This configuration is a ralabel(1) configuration file.

       The concept is to provide a number of labeling strategies with configuration capabilities for each of the
       labelers.  This allows the user to specify the order of  the  labeling,  which  is  provided  to  support
       hierarchical labeling.

       Here is a valid and simple configuration file.   It doesn't do anything in particular, but it is one that
       is used at some sites.

Supported Labeling Strategies

Addresss Based Classification

       Address based classifications involve building a patricia tree that we  can  hang  labels  against.   The
       strategy is to order the address label configuration files, to develop a hierarchical label scheme.

IANA IPv4 and IPv6 Address Classification Labeling

RALABEL_IANA_ADDRESS

       The  type  of  IP  network  address  can be used by many analysis programs to make decisions.  While IANA
       standard classifications don't change, this type of classification should be extendable  to  allow  local
       sites to provide additional labeling capabilities.

       RALABEL_IANA_ADDRESS=yes
       RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/iana-address-file"

Addresss Based Country Code Classification

RALABEL_ARIN_COUNTRY_CODES

       Address  based  country  code  classification  leverages the feature where ra* clients cant print country
       codes for the IP addresses that are in a  flow  record.   Country  codes  are  generated  from  the  ARIN
       delegated  address  space  files.   Specify the location of your DELEGATED_IP file here, or in your .rarc
       file (which is default).

       Unlike the GeoIP based country code labeling, these codes can be sorted filtered and  aggregated,  so  if
       you want to do that type of operations with country codes, enable this feature here.

       RALABEL_ARIN_COUNTRY_CODES=yes
       RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"

BIND Based Classification

RALABEL_BIND_NAME

       BIND  services provide address to name translations, and these reverse lookup strategies can provide FQDN
       labels, or domain labels that can be added to flow.  The IP addresses  that  can  be  ´labeled'  are  the
       saddr,  daddr,  or  inode.   Keywords  "yes" and "all" are synonomous and result in labeling all three IP
       addresses.

       Use this strategy to provide transient semantic enhancement based on ip address values.

       RALABEL_BIND_NAME="all"

Port Based Classification

RALABEL_IANA_PORT

       Port based classifications involves simple assignment of a text label to a specific port  number.   While
       IANA  standard  classifications  are  supported throught the Unix /etc/services file assignments, and the
       basic "src port" and "dst port" ra* filter schemes, this scheme is used to enhance/modify  that  labeling
       strategy.   The text associated with a port number is placed in the metadata label field, and is searched
       using the regular expression searching strategies that are available to label matching.

       Use this strategy to provide transient semantic enhancement based on port values.

       RALABEL_IANA_PORT=yes
       RALABEL_IANA_PORT_FILE="/usr/local/argus/iana-port-numbers"

Flow Filter Based Classification

       Flow filter based classification uses the standard flow filter strategies to provide  a  general  purpose
       labeling scheme.  The concept is similar to racluster()'s fall through matching scheme.  Fall through the
       list of filters, if it matches, add the label.  If you want to continue through the list, once there is a
       match,  add a "cont" to the end of the matching rule.

RALABEL_ARGUS_FLOW

       RALABEL_ARGUS_FLOW=yes
       RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/argus-flow-file"

GeoIP Based Labeling

       The  labeling features can use the databases provided by MaxMind using the GeoIP LGPL libraries.  If your
       code was configured to use these libraries, then enable the features here.

       GeoIP provides a lot of support for geo-location, configure support by enabling a feature  and  providing
       the  appropriate  binary  data  files.  ASN reporting is done from a separate set of data files, obtained
       from MaxMind.com, and so enabling this feature is independent of the traditional city data available.

RALABEL_GEOIP_ASN

       Labeling data with Origin ASN values involves simply indicating the desire,  and  the  filename  for  the
       database of ASN numbers.

       RALABEL_GEOIP_ASN=yes
       RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"

RALABEL_GEOIP_CITY

       Data  for  city relevant data is enabled through enabling and configuring the city database support.  The
       types of data available are:
               country_code, country_code3, country_name, region, city, postal_code,
               latitude, longitude, metro_code, area_code and continent_code.
               time_offset is also available.

       The concept is that you should be able to add semantics for any IP address that is in the  argus  record.
       Support addresses are:
               saddr, daddr, inode

       The labels provided will be tagged as:
               scity, dcity, icity

       To  configure  what  you want to have placed in the label, use the list of objects, in whatever order you
       like, as the RALABLE_GEOPIP_CITY string using these keywords:
               cco   - country_code
               cco3  - country_code3
               cname - country_name
               reg   - region
               city  - city
               pcode - postal_code
               lat   - latitude
               long  - longitude
               metro - metro_code
               area  - area_code
               cont  - continent_code
               off   - GMT time offset

       Working examples could be:
               RALABEL_GEOIP_CITY="saddr,daddr:lat/lon"
               RALABEL_GEOIP_CITY="*:city,region,cname,lat,lon"

       RALABEL_GEOIP_CITY="saddr,daddr,inode:lat,lon"
       RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIPCity.dat"

       Copyright (c) 2000-2016 QoSient  All rights reserved.

SEE ALSO

       ralabel(1)