# # Argus Client Software. Tools to read, analyze and manage Argus data. # Copyright (c) 2000-2003 QoSient, LLC # All rights reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # Ragator Aggregation Policy Configuration # # Carter Bullard # QoSient, LLC # # # This configuration is a ragator(1) flow model configuration file. # # The concept is that one identifies specific Argus Flow Activity # Records through specification of an ArgusFlow matching statement. # The matching statement references a flow model that is used to # modify the flow description of each transaction. Records are # aggregated based on matches of the modified flow description. # In each statement is a TimeOut period, which is how long ragator() # will hold the aggregated record before reporting it. # # If a record doesn't match any statement in the configuration, # then it is aggregated based on its unmodified flow descriptor. # # An ArgusFlow matching statement specifies values for the fields # src and dst IP address, the protocol, and for TCP and UDP, the # src and dst port numbers. # # '*' denotes 'any' value. # # Proto field can be any valid IP protocol number, or the keywords, # found in the /etc/protocols file. For systems that do not support # /etc/protocols, ragator() understands 'tcp', 'udp', 'icmp', # and 'igmp' tokens on its own. # # Port values can be any valid key word in the /etc/services file, # or, of course, numbers. # # When the protocol is 'icmp', the values after the Proto field # are valid ICMP type and code values. Valid icmp types are: # echo # unreach # srcquench # redirect # timexed # timestamp # info # address # # Numbers can be specified in decimal or as hex with the 0x prefix. # # Here is a valid and simple configuration: # # Argus records are matched in falling order, so you will test Argus # records against the flow descriptors in decending order. In our # example that will be flow 100 then 101. Flow Id numbers are used # only to report syntax errors in the configuration, so don't worry. # about these numbers. # # All Model Id numbers must be unique, and references to Model Id # numbers must be valid for this configuration. # # This configuration is designed simply to specify a timeout value for # flows. Flow 100 matches all tranactions, and indicates that ragator # should use FlowModel 200 to aggregate the matching records. The # aggregate will be held for 60 seconds and then reported. # # #RAGATOR_MODEL_NAME=Test Configuration #RAGATOR_PRESERVE_FIELDS=yes #RAGATOR_PRESERVE_FIELDS=yes #RAGATOR_REPORT_AGGREGATION=yes #RAGATOR_AUTO_CORRECTION=no # # # id SrcCIDRAddr DstCIDRAddr Proto SPort DPort Model Dur Idle Flow 100 ip * * * * * 200 60 0 # TCP and UDP Flow Model Definitions # label id SrcAddrMask DstAddrMask Proto SPort DPort Model 200 ip 255.255.255.255 255.255.255.255 yes yes yes