SOURCES: argus-clients-excel.rc (NEW), argus-clients-racluster.con...
alucard
alucard at pld-linux.org
Thu Mar 1 13:08:55 CET 2007
Author: alucard Date: Thu Mar 1 12:08:55 2007 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- initial PLD release
---- Files affected:
SOURCES:
argus-clients-excel.rc (NONE -> 1.1) (NEW), argus-clients-racluster.conf (NONE -> 1.1) (NEW), argus-clients-radium.conf (NONE -> 1.1) (NEW), argus-clients-radium.init (NONE -> 1.1) (NEW), argus-clients-radium.logrotate (NONE -> 1.1) (NEW), argus-clients-radium.sysconfig (NONE -> 1.1) (NEW), argus-clients-ranonymize.conf (NONE -> 1.1) (NEW), argus-clients-ra.print.all.conf (NONE -> 1.1) (NEW), argus-clients-rarc (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/argus-clients-excel.rc
diff -u /dev/null SOURCES/argus-clients-excel.rc:1.1
--- /dev/null Thu Mar 1 13:08:55 2007
+++ SOURCES/argus-clients-excel.rc Thu Mar 1 13:08:50 2007
@@ -0,0 +1,32 @@
+#
+# Argus Software
+# Copyright (c) 2000-2007 QoSient, LLC
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+#
+# Excel rc file.
+#
+# This ra rc file will generate ascii output suitable to be imported
+# into Microsoft Excel or Microsoft Access as a comma separated value file.
+# This is good for graphing, etc....
+
+RA_PRINT_LABELS=0
+RA_FIELD_DELIMITER=','
+RA_PRINT_NAMES=none
+RA_TIME_FORMAT="%m-%d-%y %T"
+RA_USEC_PRECISION=6
+RA_FILTER="not man"
================================================================
Index: SOURCES/argus-clients-racluster.conf
diff -u /dev/null SOURCES/argus-clients-racluster.conf:1.1
--- /dev/null Thu Mar 1 13:08:55 2007
+++ SOURCES/argus-clients-racluster.conf Thu Mar 1 13:08:50 2007
@@ -0,0 +1,50 @@
+#
+# Argus Software
+# Copyright (c) 2000-2007 QoSient, LLC
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# Racluster Aggregation Policy Configuration
+#
+# Carter Bullard
+# QoSient, LLC
+#
+# This configuration is a racluster(1) flow model configuration file.
+#
+# The concept is to bind a traditional ra* filter with an
+# aggregation model. Records are tested against the filter
+# specifications in "fall down" order, when they match, the
+# aggregation model is used to merge records together. The model
+# supports hold and idle timers in order to control the holding
+# merging strategies. If reading from a file, the times are
+# determined from timestamps in the input stream. The system
+# works best if the input stream is somewhat sorted in time.
+#
+# Here is a valid and simple configuration file. It doesn't do
+# anything in particular, but it is one that is used at some sites.
+#
+
+#RACLUSTER_MODEL_NAME=Test Configuration
+#RACLUSTER_PRESERVE_FIELDS=yes
+#RACLUSTER_REPORT_AGGREGATION=no
+#RACLUSTER_AUTO_CORRECTION=yes
+
+filter="icmp"
+filter="arp" model="proto saddr"
+filter="tcp or udp" model="saddr daddr proto dport" status=120 idle=3600 cont
+filter="host 1.2.3.4" model="saddr daddr proto" status=0 idle=3600
+filter="dst port http" model="saddr daddr proto dport" status=0 idle=3600
+filter="" model="saddr daddr proto" status=0 idle=3600
================================================================
Index: SOURCES/argus-clients-radium.conf
diff -u /dev/null SOURCES/argus-clients-radium.conf:1.1
--- /dev/null Thu Mar 1 13:08:55 2007
+++ SOURCES/argus-clients-radium.conf Thu Mar 1 13:08:50 2007
@@ -0,0 +1,209 @@
+#
+# Argus Software
+# Copyright (c) 2000-2007 QoSient, LLC
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# Example radium.conf
+#
+# Radium will open this radium.conf if its installed as /etc/radium.conf.
+# It will also search for this file as radium.conf in directories
+# specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib,
+# or $HOME, $HOME/lib, and parse it to set common configuration
+# options. All values in this file can be overriden by command
+# line options, or other files of this format that can be read in
+# using the -F option.
+#
+#
+# Variable Syntax
+#
+# Variable assignments must be of the form:
+#
+# VARIABLE=
+#
+# with no white space between the VARIABLE and the '=' sign.
+# Quotes are optional for string arguements, but if you want
+# to embed comments, then quotes are required.
+#
+#
+# Variable Explanations
+#
+# Radium is capable of running as a daemon, doing all the right things
+# that daemons do. When this specific configuration file is used
+# to configure the system daemon process (/etc/radium.conf) this
+# variable should be set to "yes".
+#
+# The default value is to not run as a daemon.
+#
+# This example is to support the ./support/Startup/radium script
+# which requires that this variable be set to "yes".
+#
+# Commandline equivalent -d
+#
+
+RADIUM_DAEMON=yes
+
+
+# Radium Monitor Data is uniquely identifiable based on the source
+# identifier that is included in each output record. This is to
+# allow you to work with Radium Data from multiple monitors at the
+# same time. The ID is 32 bits long, and so legitimate values are
+# 0 - 4294967296 but radium also supports IP addresses as values.
+# The configuration allows for you to use host names, however, do
+# have some understanding how `hostname` will be resolved by the
+# nameserver before commiting to this strategy completely.
+#
+# Commandline equivalent -e
+#
+
+RADIUM_MONITOR_ID=`hostname`
+
+
+# If compiled to support this option, Radium is capable of
+# generating a lot of debug information.
+#
+# The default value is zero (0).
+#
+# Commandline equivalent -D
+#
+
+#RADIUM_DEBUG_LEVEL=0
+
+
+# Radium will periodically report on a its own health, providing
+# interface status, total packet and bytes counts, packet drop
+# rates, and flow oriented statistics.
+#
+# These records can be used as "keep alives" for periods when
+# there is no network traffic to be monitored.
+#
+# The default value is 60 seconds, but a value of 60 seconds is
+# very common.
+#
+# Commandline equivalent -M
+#
+
+RADIUM_MAR_STATUS_INTERVAL=60
+
+
+#
+# Radium can attach to any number of remote argus servers, and
+# collect argus data in real time. The syntax for this variable
+# is a hostname or a dot notation IP address, followed by an
+# optional port value, separated by a ':'. If the port is not
+# specified, the default value of 561 is used.
+#
+# Commandline equivalent -S <host[:port]>
+#
+
+#RADIUM_ARGUS_SERVER=amon:12345
+#RADIUM_ARGUS_SERVER=thoth:561
+#RADIUM_ARGUS_SERVER=apophis:562
+#RADIUM_ARGUS_SERVER=otherhost:50000
+
+
+# You can provide a filter expression here, if you like.
+# Radium will filter all input records based on this definition.
+# It should be limited to 2K in length. The default is to
+# not filter.
+#
+# No Commandline equivalent
+#
+
+#RADIUM_FILTER=""
+
+
+# Radium can adjust the timestamps in argus records as it receives
+# them, based on the measured time difference between radium()
+# and the sources. The variable takes a threshold value in
+# seconds, so you can specify when to make a correction.
+#
+# No Commandline equivalent
+#
+
+#RADIUM_ADJUST_TIME=5
+
+
+# Radium has filter capabilities that use a filter optimizer.
+# If there is a need to not use this filter optimizer,
+# you can turn it off here. The default is to leave it on.
+#
+# Commandline equivalent -O
+#
+
+#RADIUM_FILTER_OPTIMIZER=yes
+
+
+# Radium can read Cicso Netflow records directly from Cisco
+# routers. Specifying this value will alert Radium to open
+# a UDP based socket listening for data from this name or address.
+#
+# Commandline equivalent -C
+#
+
+#RADIUM_CISCONETFLOW_PORT=9996
+
+
+# When argus is compiled with SASL support, radium may be
+# required to authenticate to the argus data source before data
+# can be received. This variable will allow one to
+# set the user and authorization id's, if needed. Although
+# not recommended you can provide a password through the
+# RADIUM_AUTH_PASS variable. The format for this variable is:
+#
+# RADIUM_USER_AUTH="user_id/authorization_id"
+#
+# Commandline equivalent -U
+#
+
+#RADIUM_USER_AUTH=""
+#RADIUM_AUTH_PASS=""
+
+
+# Radium monitors can provide a real-time remote access port
+# for other programs to collect Radium data. This is a TCP based
+# port service and the default port number is tcp/561, the
+# "experimental monitor" service. This feature is disabled by
+# default, and can be forced off by setting it to zero (0).
+#
+# When you do want to enable this service, 561 is a good choice,
+# as all ra* clients are configured to try this port by default.
+#
+# Commandline equivalent -P
+#
+
+RADIUM_ACCESS_PORT=561
+
+
+#
+# Radium can write its output to one or a number of files,
+# default limit is 64 concurrent files, each with their own
+# independant filters.
+#
+# The format is:
+# RADIUM_OUTPUT_FILE=/full/path/file/name
+# RADIUM_OUTPUT_FILE=/full/path/file/name "filter"
+#
+# Most sites will have radium write to a file, for reliablity
+# and performance. The example file name used here supports
+# the archive program ./support/Archive/argusarchive
+# which is configured to use this file.
+#
+# Commandline equivalent -w
+#
+
+#RADIUM_OUTPUT_FILE=/var/log/argus/argus.out
+
================================================================
Index: SOURCES/argus-clients-radium.init
diff -u /dev/null SOURCES/argus-clients-radium.init:1.1
--- /dev/null Thu Mar 1 13:08:55 2007
+++ SOURCES/argus-clients-radium.init Thu Mar 1 13:08:50 2007
@@ -0,0 +1,89 @@
+#!/bin/sh
+# Startup script for radium
+#
+# chkconfig: 2345 97 03
+# description: Run radium
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Get network config
+. /etc/sysconfig/network
+
+# Get service config
+[ -f /etc/sysconfig/radium ] && . /etc/sysconfig/radium
+
+# Check that networking is up.
+if is_yes "${NETWORKING}"; then
+ if [ ! -f /var/lock/subsys/network -a "$1" != stop -a "$1" != status ]; then
+ msg_network_down radium
+ exit 1
+ fi
+else
+ exit 0
+fi
+
+start() {
+ if [ ! -f /var/lock/subsys/radium ]; then
+ msg_starting radium
+ daemon radium -d "${LOG}" "${CONF}"
+ RETVAL=$?
+ [ $RETVAL -eq 0 ] && touch /var/lock/subsys/radium
+ else
+ msg_already_running radium
+ fi
+}
+
+stop() {
+ if [ -f /var/lock/subsys/radium ]; then
+ msg_stopping radium
+ killproc radium
+ rm -f /var/lock/subsys/radium
+ else
+ msg_not_running radium
+ RETVAL=7
+ fi
+}
+
+reload() {
+ if [ -f /var/lock/subsys/radium ]; then
+ msg_reloading radium
+ killproc radium -HUP
+ RETVAL=$?
+ else
+ msg_not_running radium
+ RETVAL=7
+ fi
+}
+
+RETVAL=0
+# See how we were called.
+case "$1" in
+ start)
+ start
+ ;;
+
+ stop)
+ stop
+ ;;
+
+ restart)
+ stop
+ start
+ ;;
+
+ reload|force-reload)
+ reload
+ ;;
+
+ status)
+ status radium
+ RETVAL=$?
+ ;;
+
+ *)
+ msg_usage "$0 {start|stop|reload|force-reload|status}"
+ exit 3
+esac
+
+exit $RETVAL
================================================================
Index: SOURCES/argus-clients-radium.logrotate
diff -u /dev/null SOURCES/argus-clients-radium.logrotate:1.1
--- /dev/null Thu Mar 1 13:08:55 2007
+++ SOURCES/argus-clients-radium.logrotate Thu Mar 1 13:08:50 2007
@@ -0,0 +1,10 @@
+/var/log/argus-clients/*log {
+ olddir /var/log/archiv/argus-clients
+ weekly
+ rotate 4
+ compress
+ create 660 root argus
+ postrotate
+ /sbin/service radium restart > /dev/null
+ endscript
+}
================================================================
Index: SOURCES/argus-clients-radium.sysconfig
diff -u /dev/null SOURCES/argus-clients-radium.sysconfig:1.1
--- /dev/null Thu Mar 1 13:08:55 2007
+++ SOURCES/argus-clients-radium.sysconfig Thu Mar 1 13:08:50 2007
@@ -0,0 +1,10 @@
+# argus daemon startup configuration file
+
+# Try to define nice-level for running argus
+SERVICE_RUN_NICE_LEVEL="+0"
+
+# set argus log file
+LOG="-w /var/log/argus-clients/radium.log"
+
+# set conf file
+CONF="-f /etc/argus-clients/radium.conf"
================================================================
Index: SOURCES/argus-clients-ranonymize.conf
diff -u /dev/null SOURCES/argus-clients-ranonymize.conf:1.1
--- /dev/null Thu Mar 1 13:08:55 2007
+++ SOURCES/argus-clients-ranonymize.conf Thu Mar 1 13:08:50 2007
@@ -0,0 +1,280 @@
+#
+# Argus Software
+# Copyright (c) 2000-2007 QoSient, LLC
+# All rights reserved.
+#
+# Permission to use, copy, modify, and distribute this software and
+# its documentation for any purpose and without fee is hereby granted,
+# provided that the above copyright notice appear in all copies and
+# that both that copyright notice and this permission notice appear
+# in supporting documentation, and that the name of QoSient not
+# be used in advertising or publicity pertaining to distribution of
+# the software without specific, written prior permission.
+#
+# QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
+# SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+# FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY
+# SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
+# RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
+# CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+#
+# Example ranonymize.conf
+#
+# Ranonymize will open this file and parse it to set common
+# configuration options.
+#
+# Values can be quoted to make string denotation easier, however, the
+# parser does not require that string values be quoted. To support this,
+# the parse will remove '\"' characters from input strings, so do not
+# use this character in strings themselves.
+#
+# Values specified as "" will be treated as a NULL string, and the parser
+# will ignore the variable setting.
+
+# Supported Options
+
+# Ranonymize allows you to specify the type of anonymization methods
+# used for a number of categories. The types are "sequential", "random",
+# "specific", "fixed" or "no" anonymization. Each is described below
+# as they appear in the configuration.
+#
+# ranonymize() uses various strategies to seed its random number
+# generator. If the user specifies a seed, then the srandon(seed)
+# function is used. If keyword "time" is used, then the system usec
+# value at the invocation is used. If the keyword "crypto" is used,
+# then the system call srandomdev() is used if available. If not,
+# the "time" method is used. Configuring with a specific seed value
+# in this configuration file, will generate deterministic values
+# which should result in assignments that are duplicated with
+# reach run.
+#
+
+RANON_SEED=crypto
+
+#
+# Ranonymize can anonymize any field in an Argus record. The
+# decision to anonymize a field should be guided by the sensitivity
+# of disclosure and the need to preserve a specific issue within
+# the data. By default, ranonymize will anonymize the most sensitive
+# data, time, flow identifiers, and network protocol specific data.
+# The available set of identiifers are:
+#
+# "srcid", "flow", "time", "metric", "agr", "net", "vlan", "mpls",
+# "jitter", "ipattr", "suser", "duser", "mac", "icmp", "tadj".
+#
+# Fields that are not mentioned in the anonymization strategy are
+# discarded.
+#
+
+RANON_FIELDS="time flow net"
+
+#
+# Most of the objects in argus data are composite objects, where
+# there are multiple fields and semantics, and to make matters
+# more complicated, for each object there are specific algorithms
+# that can be used to achieve the level of anonymity, desired.
+# These alogirhtms vary from preserving (no modification done),
+# constant shift, table lookup, code book and/or variou cryptographic
+# schemes that are designed to provide collaborative anonymity
+# for communicating parites.
+#
+# Ranonymize anonymizes various fields in Argus records, using a
+# set of default algorithms/strategies. The primary goal of
+# ranonymize() anonymization is to preserve the semantics of
+# common data objects, if those objects are retained in the
+# final product.
+#
+# Because ranonymize() also supports de-anonymization, the methods
+# used to obfuscate data, in some cases, must be reversible. This
+# is an important step to supporting distributed collaboration
+# through anonymization (i'll change my, and you'll change
+# your data so that the transformations generate the same values).
+#
+#
+# Objects such as the timestamps, transaction reference numbers,
+# sequence numbers, IP attributes are, by default, transposed by
+# a constant value, usually a negative constant value. This value
+# is specified either as a random number or explicitly in this
+# configuration, using the keyword "fixed", for fixed offset.
+# This general strategy preserves 1st, 2nd, xth order differentials
+# of the data. Values such as transaction duration are preserved,
+# distance or hop count (in the case of TTL), and derived measures
+# like loss.
+
+# In order to preserve relative time in the data, to support duration
+# one-way delay, and time based correlation strategies within the
+# data, anonymization of time involves subtracting a constant
+# value from the field in every argus record seen.
+# These values, if needed, can be defined by ranonymize or the user.
+# The anonymization method is "fixed" offset, and the constant
+# value can be specified by the user, "fixed:x", where x is a numerical
+# value, +/- 2^31, or chosen by ranonymize at random, "fixed:random",
+# where the random value is choosen from the same range as above.
+#
+
+RANON_TIME_SEC_OFFSET=random
+RANON_TIME_USEC_OFFSET=random
+
+
+RANON_TRANSREFNUM_OFFSET=fixed:82736487
+RANON_TRANSREFNUM_OFFSET=fixed:82736487
+RANON_SEQNUM_OFFSET=fixed:10234
+
+# Ranonymize allows you to specify the type of anonymization methods
+# used in a number of categories. For ethernet network and host
+# address conversion, ranonymize can support "sequential", "random",
+# "specific", "fixed" or "no" anonymization.
+
+# Sequential anonymization involves allocating new addresses in a
+# monotonically increasing fashion on a first come first serve basis.
+# For ethernet addresses this starts with the address xx:xx:xx:00:00:01,
+# where the xx:xx:xx is the vendor identification part, which could be
+# preserved, based on configuration (see below) or anonymized starting
+# with the value 00:00:00. For IP v4 addresses, the sequential address
+# range starts with the non-routable address space 10.0.0, by default.
+# Sequential randomization uses the least amount of memory and minimizes
+# anonymization processing time, however it does not offer the best
+# object scrambling method.
+#
+# As an example, if the first Argus record contained the addresses
+# 128.64.2.4 and 132.243.2.87 as source and destination, sequential
+# anonymization would generate the addresses 10.0.0.1 and 10.0.1.1
+# as the new source and destination addresses, because there are two
+# unique network parts, 128.64.2 -> 10.0.0, and 132.243.2 -> 10.0.1.
+# Host parts are sequentially allocated within the new network address
+# space, and because both addresses are first, they come up as 1.
+#
+# Random anonymization involves choosing a value from a pool
+# of random values. The type of anonymization, net, host,
+# ethernet, dictates the size of the pool of values.
+#
+# Random anonymization could generate 10.24.31.203 and 10.1.34.18
+# as examples, as both the 24 bit network parts would be allocated
+# randomly from the 10 network space, and the host address part
<<Diff was trimmed, longer than 597 lines>>
More information about the pld-cvs-commit
mailing list