This configuration is a ralabel(1) configuration file.
The concept is to provide a number of labeling strategies with configuration
capabilities for each of the labelers. This allows the user to specify the
order of the labeling, which is provided to support hierarchical labeling.
Here is a valid and simple configuration file. It doesn't do anything in
particular, but it is one that is used at some sites.
Address based classifications involve building a patricia tree that we can hang
labels against. The strategy is to order the address label configuration
files, to develop a hierarchical label scheme.
The type of IP network address can be used by many analysis programs to make
decisions. While IANA standard classifications don't change, this type of
classification should be extendable to allow local sites to provide additional
Address based country code classification leverages the feature where ra*
clients cant print country codes for the IP addresses that are in a flow
record. Country codes are generated from the ARIN delegated address space
files. Specify the location of your DELEGATED_IP file here, or in your .rarc
file (which is default).
Unlike the GeoIP based country code labeling, these codes can be sorted filtered
and aggregated, so if you want to do that type of operations with country
codes, enable this feature here.
BIND services provide address to name translations, and these reverse lookup
strategies can provide FQDN labels, or domain labels that can be added to
flow. The IP addresses that can be ´labeled' are the saddr, daddr, or
inode. Keywords "yes" and "all" are synonomous and result
in labeling all three IP addresses.
Use this strategy to provide transient semantic enhancement based on ip address
Port based classifications involves simple assignment of a text label to a
specific port number. While IANA standard classifications are supported
throught the Unix /etc/services file assignments, and the basic "src
port" and "dst port" ra* filter schemes, this scheme is used to
enhance/modify that labeling strategy. The text associated with a port number
is placed in the metadata label field, and is searched using the regular
expression searching strategies that are available to label matching.
Use this strategy to provide transient semantic enhancement based on port
Flow filter based classification uses the standard flow filter strategies to
provide a general purpose labeling scheme. The concept is similar to
racluster()'s fall through matching scheme. Fall through the list of filters,
if it matches, add the label. If you want to continue through the list, once
there is a match, add a "cont" to the end of the matching rule.
The labeling features can use the databases provided by MaxMind using the GeoIP
LGPL libraries. If your code was configured to use these libraries, then
enable the features here.
GeoIP provides a lot of support for geo-location, configure support by enabling
a feature and providing the appropriate binary data files. ASN reporting is
done from a separate set of data files, obtained from MaxMind.com, and so
enabling this feature is independent of the traditional city data available.
Labeling data with Origin ASN values involves simply indicating the desire, and
the filename for the database of ASN numbers.
Data for city relevant data is enabled through enabling and configuring the city
database support. The types of data available are:
country_code, country_code3, country_name, region, city, postal_code,
latitude, longitude, metro_code, area_code and continent_code.
time_offset is also available.
The concept is that you should be able to add semantics for any IP address that
is in the argus record. Support addresses are:
saddr, daddr, inode
The labels provided will be tagged as:
scity, dcity, icity
To configure what you want to have placed in the label, use the list of objects,
in whatever order you like, as the RALABLE_GEOPIP_CITY string using these
cco - country_code
cco3 - country_code3
cname - country_name
reg - region
city - city
pcode - postal_code
lat - latitude
long - longitude
metro - metro_code
area - area_code
cont - continent_code
off - GMT time offset
Working examples could be:
Copyright (c) 2000-2016 QoSient All rights reserved.