Home > Uncategorized > Configuring argus clients to have access to country code

Configuring argus clients to have access to country code

updated June 2013: This article is pretty poorly written and organized. I apologize before hand and I will be re-writing it soon.

 

Carter has considered a few methods for dealing with IP location information. If you are looking for simply the country of origin where the IP is allocated, you can use the ARIN database lookup method. If you require more granular information about addresses, including city/region/lat/long info, you must rely on MaxMind’s GeoIP databases (as the ARIN database does not contain this information).

I will cover both of these methods.

I suggest you review Configuring argus clients with .conf and .rarc before continuing…


Should you trust the country code data?
Carter points out that it is valuable to save the round trip time to make sure that the country code data is actually the source of the packets, as some networks may physically be away from their country. Finding the mean of RTT per country code could be done after a given amount of data has been collected. You can then set a standard deviation tolerance, and actually figure out a calculation to find strange activity. Keep in mind, it’s not necessarily correct to assume outlying flow records indicate malicious traffic.

Country code lookup can take place here, but the IANA hosts the real list, and I compiled a CSV for use with a perl script I’m writing.

Configuring ARIN database lookup to obtain source and destination IP country code:

This table only reports the country code of where the IP address is assigned, but for this job, it is stated to be more efficient than MaxMind’s GeoIP databases.

Run the following to perform the initial download of the ARIN country code file:

bash /root/argus-clients-3.0.6.2/support/Config/ragetcountrycodes.sh

Copy ralabel.conf from the source tree into your /etc/ directory:

cp ./argus-clients-*/support/Config/ralabel.conf /etc/ralabel.conf

In your /etc/ralabel.conf…
1) Uncomment the following lines

RALABEL_ARIN_COUNTRY_CODES=yes
RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"

2) Comment out the following lines

#RALABEL_GEOIP_ASN=yes
#RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
#RALABEL_GEOIP_CITY="saddr,daddr,inode:lat,lon"
#RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIPCity.dat"

Test ralabel with the following:

ralabel -f /etc/ralabel.conf -S localhost:561 -s +sco +dco

This attaches ralabel to the argus server at localhost, port 561, to obtain the argus stream and will print to ASCII to stdout.

For a permenant solution:
Schedule the following in a cron job to run once a month (these databases are updated infrequently):

crontab -e
#cron table entry as (without the ##)
## 0 0 1 * * bash /root/argus-clients-3.0.6.2/support/Config/ragetcountrycodes.sh

In order to feed the sco and dco records into an sql database, you can pipe binary to stdout of ralabel into the stdin of rasqlinsert:

ralabel -d -f /etc/ralabel.conf -S localhost:561 -s +sco +dco -w - | rasqlinsert -r - -m none -s stime dur flgs proto saddr sport dir daddr dport spkts dpkts sbytes dbytes state sco dco -w mysql://argus:SQLPASSWORD@localhost/argus/argustable_test

Or, you can also log errors to a log file and drop the processes to the background with:

ralabel -d -f /etc/ralabel.conf -S localhost:561 -s stime dur flgs proto saddr sport dir daddr dport spkts dpkts sbytes dbytes state sco dco -w - 2> /var/log/ralabel.log | rasqlinsert -r - -m none -s stime dur flgs proto saddr sport dir daddr dport spkts dpkts sbytes dbytes state sco dco -w mysql://argus:SQLPASSWORD@localhost/argus/argustable_test 2> /var/log/rasqlinsert.log &

I have written an init script to take care of this process.

Need latitude and longitude?
If you want more granular look ups (as detailed near the end of ralabel.conf), you must rely on MaxMind GeoIP databases as follows:

This section is not finished. I will resume at a later time. Use the mailing list archive for research and understanding.

Set up a cron job to download the GeoIP databases once every month:

echo "wget http://www.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz" > /usr/local/share/GeoIP/getgeoipdbs.sh
echo "gunzip -df ./GeoIPASNum.dat.gz" >> /usr/local/share/GeoIP/getgeoipdbs.sh
echo "mv -f ./GeoIPASNum.dat /usr/local/share/GeoIP/" >> /usr/local/share/GeoIP/getgeoipdbs.sh
echo "wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" >> /usr/local/share/GeoIP/getgeoipdbs.sh
echo "gunzip -df ./GeoIP.dat.gz" >> /usr/local/share/GeoIP/getgeoipdbs.sh
echo "mv -f ./GeoIP.dat /usr/local/share/GeoIP/" >> /usr/local/share/GeoIP/getgeoipdbs.sh
echo "wget http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz" >> /usr/local/share/GeoIP/getgeoipdbs.sh
echo "gunzip -df ./GeoLiteCity.dat.gz" >> /usr/local/share/GeoIP/getgeoipdbs.sh
echo "mv -f ./GeoLiteCity.dat /usr/local/share/GeoIP/GeoIPCity.dat" >> /usr/local/share/GeoIP/getgeoipdbs.sh
chmod +x /usr/local/share/GeoIP/getgeoipdbs.sh

Edit your cron job table:

crontab -e
#cron table entry as (without the ##)
## 0 0 1 * * bash /usr/local/share/GeoIP/getgeoipdbs.sh

Try this…

export filter="not dst net 169.254.0.0/16 and not dst net 10.0.0.0/8 and not dst net 172.16.0.0/12 and not dst net 192.168.0.0/16 and not dst host 255.255.255.255 and not dst net 239.0.0.0/8 and not dst net 224.0.0.0/24 and not dst net 224.0.1.0/24"
ralabel -f /etc/ralabel.conf -nr * -m dco -w - - ip and $filter | racluster -m dco daddr -s dco daddr sbytes -w - | rasort -m dco saddr sbytes -s dco sbytes saddr daddr | awk '{print $1}' | sort | uniq -c | less

With:

cd
cp ./argus-clients-3.0.7.8/support/Config/ragetcountrycodes.sh /usr/local/bin/
/usr/local/bin/ragetcountrycodes.sh
chmod 755 /usr/local/bin/ragetcountrycodes.sh
cp ./argus-clients-3.0.7.8/support/Config/ralabel.conf /etc/ralabel.conf
sed s/#RALABEL_ARIN_COUNTRY_CODES=yes/RALABEL_ARIN_COUNTRY_CODES=yes/ -i /etc/ralabel.conf
sed s@#RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"@RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"@ -i  /etc/ralabel.conf
sed s@RALABEL_GEOIP_ASN=yes@#RALABEL_GEOIP_ASN=yes@ -i /etc/ralabel.conf
sed s/'RALABEL_GEOIP_CITY="saddr,daddr,inode:off,cont,lat,lon"'/'#RALABEL_GEOIP_CITY="saddr,daddr,inode:off,cont,lat,lon"'/ -i /etc/ralabel.conf
Advertisements
  1. n4dksa
    December 6, 2015 at 5:24 pm

    A very nice explanatio. Can you please give an example for argus-flow-file?

  2. n4dksa
    December 9, 2015 at 10:25 am

    I was trying to follow the instructions given here (http://nsmwiki.org/Argus#ralabel_example). Upon running I do not get any labeling or output file. Do you have any clues on how to get a similar output based on a netflow file?

    • December 9, 2015 at 11:14 am

      Sorry to go back to basics, but you are consuming binary argus data using the `ralabel` client? What is your command invocation? Can you paste it here?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: