Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
RALABEL.CONF(1)		    General Commands Manual	       RALABEL.CONF(1)

       ralabel.conf - ralabel resource file.


       This configuration is a ralabel(1) configuration	file.

       The concept is to provide a number of labeling strategies with configu-
       ration capabilities for each of the labelers.  This allows the user  to
       specify the order of the	labeling, which	is provided to support hierar-
       chical labeling.

       Here is a valid and simple configuration	file.	It doesn't do anything
       in particular, but it is	one that is used at some sites.

Supported Labeling Strategies
Addresss Based Classification
       Address	based classifications involve building a patricia tree that we
       can hang	labels against.	 The strategy is to order  the	address	 label
       configuration files, to develop a hierarchical label scheme.

IANA IPv4 and IPv6 Address Classification Labeling
       The type	of IP network address can be used by many analysis programs to
       make decisions.	While IANA standard classifications don't change, this
       type  of	 classification	 should	 be extendable to allow	local sites to
       provide additional labeling capabilities.


Addresss Based Country Code Classification
       Address based country code classification leverages the	feature	 where
       ra* clients cant	print country codes for	the IP addresses that are in a
       flow record.  Country codes are generated from the ARIN	delegated  ad-
       dress  space  files.   Specify  the  location of	your DELEGATED_IP file
       here, or	in your	.rarc file (which is default).

       Unlike the GeoIP	based country code labeling, these codes can be	sorted
       filtered	 and  aggregated, so if	you want to do that type of operations
       with country codes, enable this feature here.


BIND Based Classification
       BIND services provide address to	name translations, and	these  reverse
       lookup strategies can provide FQDN labels, or domain labels that	can be
       added to	flow.  The IP addresses	that can be are	synonomous and	result
       in labeling all three IP	addresses.

       Use this	strategy to provide transient semantic enhancement based on ip
       address values.


Port Based Classification
       Port based classifications involves simple assignment of	a  text	 label
       to  a  specific	port  number.  While IANA standard classifications are
       supported throught the Unix /etc/services file assignments, and the ba-
       sic  "src  port"	and "dst port" ra* filter schemes, this	scheme is used
       to enhance/modify that labeling strategy.  The text associated  with  a
       port  number is placed in the metadata label field, and is searched us-
       ing the regular expression searching strategies that are	 available  to
       label matching.

       Use  this  strategy  to provide transient semantic enhancement based on
       port values.


Flow Filter Based Classification
       Flow filter based classification	uses the standard flow filter  strate-
       gies to provide a general purpose labeling scheme.  The concept is sim-
       ilar to racluster()'s fall through matching scheme.  Fall  through  the
       list of filters,	if it matches, add the label.  If you want to continue
       through the list, once there is a match,	 add a "cont" to  the  end  of
       the matching rule.


GeoIP Based Labeling
       The  labeling  features can use the databases provided by MaxMind using
       the GeoIP LGPL libraries.  If your code was configured to use these li-
       braries,	then enable the	features here.

       GeoIP  provides a lot of	support	for geo-location, configure support by
       enabling	a feature and providing	the  appropriate  binary  data	files.
       ASN  reporting is done from a separate set of data files, obtained from, and	so enabling this feature is independent	of the	tradi-
       tional city data	available.

       Labeling	data with Origin ASN values involves simply indicating the de-
       sire, and the filename for the database of ASN numbers.


       Data for	city relevant data is enabled through enabling and configuring
       the city	database support.  The types of	data available are:
	       country_code,   country_code3,	country_name,	region,	 city,
	       latitude, longitude, metro_code,	area_code and continent_code.
	       time_offset is also available.

       The concept is that you should be able to add semantics for any IP  ad-
       dress that is in	the argus record.  Support addresses are:
	       saddr, daddr, inode

       The labels provided will	be tagged as:
	       scity, dcity, icity

       To configure what you want to have placed in the	label, use the list of
       objects,	in whatever order you like, as the RALABLE_GEOPIP_CITY	string
       using these keywords:
	       cco   - country_code
	       cco3  - country_code3
	       cname - country_name
	       reg   - region
	       city  - city
	       pcode - postal_code
	       lat   - latitude
	       long  - longitude
	       metro - metro_code
	       area  - area_code
	       cont  - continent_code
	       off   - GMT time	offset

       Working examples	could be:


       Copyright (c) 2000-2016 QoSient	All rights reserved.


ralabel.conf 3.0.8	       07 November 2009		       RALABEL.CONF(1)

NAME | SYNOPSIS | DESCRIPTION | Supported Labeling Strategies | Addresss Based Classification | IANA IPv4 and IPv6 Address Classification Labeling | RALABEL_IANA_ADDRESS | Addresss Based Country Code Classification | RALABEL_ARIN_COUNTRY_CODES | BIND Based Classification | RALABEL_BIND_NAME | Port Based Classification | RALABEL_IANA_PORT | Flow Filter Based Classification | RALABEL_ARGUS_FLOW | GeoIP Based Labeling | RALABEL_GEOIP_ASN | RALABEL_GEOIP_CITY | COPYRIGHT | SEE ALSO

Want to link to this manual page? Use this URL:

home | help