1RALABEL.CONF(1) General Commands Manual RALABEL.CONF(1)
2
6 ralabel.conf - ralabel resource file.
7
9 ralabel.conf
10
12 This configuration is a ralabel(1) configuration file.
13 The concept is to provide a number of labeling strategies with configu‐
15 ration capabilities for each of the labelers. This allows the user to
16 specify the order of the labeling, which is provided to support hierar‐
17 chical labeling.
18 Here is a valid and simple configuration file. It doesn't do anything
20 in particular, but it is one that is used at some sites.
21
25 Address based classifications involve building a patricia tree that we
26 can hang labels against. The strategy is to order the address label
27 configuration files, to develop a hierarchical label scheme.
28
33 The type of IP network address can be used by many analysis programs to
34 make decisions. While IANA standard classifications don't change, this
35 type of classification should be extendable to allow local sites to
36 provide additional labeling capabilities.
37 RALABEL_IANA_ADDRESS=yes
39 RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/iana-address-file"
40
45 Address based country code classification leverages the feature where
46 ra* clients cant print country codes for the IP addresses that are in a
47 flow record. Country codes are generated from the ARIN delegated
48 address space files. Specify the location of your DELEGATED_IP file
49 here, or in your .rarc file (which is default).
50 Unlike the GeoIP based country code labeling, these codes can be sorted
52 filtered and aggregated, so if you want to do that type of operations
53 with country codes, enable this feature here.
54 RALABEL_ARIN_COUNTRY_CODES=yes
56 RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
57
61 BIND services provide address to name translations, and these reverse
62 lookup strategies can provide FQDN labels, or domain labels that can be
63 added to flow. The IP addresses that can be are synonomous and result
64 in labeling all three IP addresses.
65 Use this strategy to provide transient semantic enhancement based on ip
67 address values.
68 RALABEL_BIND_NAME="all"
70
75 Port based classifications involves simple assignment of a text label
76 to a specific port number. While IANA standard classifications are
77 supported throught the Unix /etc/services file assignments, and the
78 basic "src port" and "dst port" ra* filter schemes, this scheme is used
79 to enhance/modify that labeling strategy. The text associated with a
80 port number is placed in the metadata label field, and is searched
81 using the regular expression searching strategies that are available to
82 label matching.
83 Use this strategy to provide transient semantic enhancement based on
85 port values.
86 RALABEL_IANA_PORT=yes
88 RALABEL_IANA_PORT_FILE="/usr/local/argus/iana-port-numbers"
89
93 Flow filter based classification uses the standard flow filter strate‐
94 gies to provide a general purpose labeling scheme. The concept is sim‐
95 ilar to racluster()'s fall through matching scheme. Fall through the
96 list of filters, if it matches, add the label. If you want to continue
97 through the list, once there is a match, add a "cont" to the end of
98 the matching rule.
99
102 RALABEL_ARGUS_FLOW=yes
103 RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/argus-flow-file"
104
108 The labeling features can use the databases provided by MaxMind using
109 the GeoIP LGPL libraries. If your code was configured to use these
110 libraries, then enable the features here.
111 GeoIP provides a lot of support for geo-location, configure support by
113 enabling a feature and providing the appropriate binary data files.
114 ASN reporting is done from a separate set of data files, obtained from
115 MaxMind.com, and so enabling this feature is independent of the tradi‐
116 tional city data available.
117
120 Labeling data with Origin ASN values involves simply indicating the
121 desire, and the filename for the database of ASN numbers.
122 RALABEL_GEOIP_ASN=yes
124 RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
125
129 Data for city relevant data is enabled through enabling and configuring
130 the city database support. The types of data available are:
131 country_code, country_code3, country_name, region, city,
132 postal_code,
133 latitude, longitude, metro_code, area_code and continent_code.
134 time_offset is also available.
135 The concept is that you should be able to add semantics for any IP
137 address that is in the argus record. Support addresses are:
138 saddr, daddr, inode
139 The labels provided will be tagged as:
142 scity, dcity, icity
143 To configure what you want to have placed in the label, use the list of
145 objects, in whatever order you like, as the RALABLE_GEOPIP_CITY string
146 using these keywords:
147 cco - country_code
148 cco3 - country_code3
149 cname - country_name
150 reg - region
151 city - city
152 pcode - postal_code
153 lat - latitude
154 long - longitude
155 metro - metro_code
156 area - area_code
157 cont - continent_code
158 off - GMT time offset
159 Working examples could be:
161 RALABEL_GEOIP_CITY="saddr,daddr:lat/lon"
162 RALABEL_GEOIP_CITY="*:city,region,cname,lat,lon"
163 RALABEL_GEOIP_CITY="saddr,daddr,inode:lat,lon"
165 RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIPCity.dat"
166
169 Copyright (c) 2000-2016 QoSient All rights reserved.
170
173 ralabel(1)
174ralabel.conf 3.0.8 07 November 2009 RALABEL.CONF(1)