--- /dev/null
+#
+# Argus Software
+# Copyright (c) 2000-2007 QoSient, LLC
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+#
+# Excel rc file.
+#
+# This ra rc file will generate ascii output suitable to be imported
+# into Microsoft Excel or Microsoft Access as a comma separated value file.
+# This is good for graphing, etc....
+
+RA_PRINT_LABELS=0
+RA_FIELD_DELIMITER=','
+RA_PRINT_NAMES=none
+RA_TIME_FORMAT="%m-%d-%y %T"
+RA_USEC_PRECISION=6
+RA_FILTER="not man"
--- /dev/null
+#
+# Argus Software
+# Copyright (c) 2000-2007 QoSient, LLC
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+#
+# Ra.Print.All.Conf
+#
+# This ra rc file will print all the available fields for a given argus
+# record, seperated by a comma.
+
+RA_PRINT_LABELS=0
+RA_FIELD_DELIMITER=','
+RA_USEC_PRECISION=6
+RA_PRINT_NAMES=port
+RA_FIELD_SPECIFIER= srcid stime ltime trans flgs dur avgdur stddev mindur maxdur saddr daddr proto sport dport stos dtos sdsb ddsb sttl dttl sipid dipid pkts spkts dpkts bytes sbytes dbytes appbytes sappbytes dappbytes sload dload load sloss dloss loss sploss dploss ploss srate drate rate smac dmac dir sintpkt dintpkt sintpktact dintpktact sintpktidl dintpktidl sintpktmax sintpktmin dintpktmax dintpktmin sintpktactmax sintpktactmin dintpktactmax dintpktactmin sintpktidlmax sintpktidlmin dintpktidlmax dintpktidlmin jit sjit djit jitact sjitact djitact jitidl sjitidl djitidl state ddur dstime dltime dspkts ddpkts dsbytes ddbytes pdspkts pddpkts pdsbytes pddbytes suser duser tcpext swin dwin jdelay ldelay seq bins binnum smpls dmpls svlan dvlan svid dvid svpri dvpri srng erng stcpb dtcpb tcprtt inode
--- /dev/null
+#
+# Argus Software
+# Copyright (c) 2000-2007 QoSient, LLC
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# Racluster Aggregation Policy Configuration
+#
+# Carter Bullard
+# QoSient, LLC
+#
+# This configuration is a racluster(1) flow model configuration file.
+#
+# The concept is to bind a traditional ra* filter with an
+# aggregation model. Records are tested against the filter
+# specifications in "fall down" order, when they match, the
+# aggregation model is used to merge records together. The model
+# supports hold and idle timers in order to control the holding
+# merging strategies. If reading from a file, the times are
+# determined from timestamps in the input stream. The system
+# works best if the input stream is somewhat sorted in time.
+#
+# Here is a valid and simple configuration file. It doesn't do
+# anything in particular, but it is one that is used at some sites.
+#
+
+#RACLUSTER_MODEL_NAME=Test Configuration
+#RACLUSTER_PRESERVE_FIELDS=yes
+#RACLUSTER_REPORT_AGGREGATION=no
+#RACLUSTER_AUTO_CORRECTION=yes
+
+filter="icmp"
+filter="arp" model="proto saddr"
+filter="tcp or udp" model="saddr daddr proto dport" status=120 idle=3600 cont
+filter="host 1.2.3.4" model="saddr daddr proto" status=0 idle=3600
+filter="dst port http" model="saddr daddr proto dport" status=0 idle=3600
+filter="" model="saddr daddr proto" status=0 idle=3600
--- /dev/null
+#
+# Argus Software
+# Copyright (c) 2000-2007 QoSient, LLC
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# Example radium.conf
+#
+# Radium will open this radium.conf if its installed as /etc/radium.conf.
+# It will also search for this file as radium.conf in directories
+# specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib,
+# or $HOME, $HOME/lib, and parse it to set common configuration
+# options. All values in this file can be overriden by command
+# line options, or other files of this format that can be read in
+# using the -F option.
+#
+#
+# Variable Syntax
+#
+# Variable assignments must be of the form:
+#
+# VARIABLE=
+#
+# with no white space between the VARIABLE and the '=' sign.
+# Quotes are optional for string arguements, but if you want
+# to embed comments, then quotes are required.
+#
+#
+# Variable Explanations
+#
+# Radium is capable of running as a daemon, doing all the right things
+# that daemons do. When this specific configuration file is used
+# to configure the system daemon process (/etc/radium.conf) this
+# variable should be set to "yes".
+#
+# The default value is to not run as a daemon.
+#
+# This example is to support the ./support/Startup/radium script
+# which requires that this variable be set to "yes".
+#
+# Commandline equivalent -d
+#
+
+RADIUM_DAEMON=yes
+
+
+# Radium Monitor Data is uniquely identifiable based on the source
+# identifier that is included in each output record. This is to
+# allow you to work with Radium Data from multiple monitors at the
+# same time. The ID is 32 bits long, and so legitimate values are
+# 0 - 4294967296 but radium also supports IP addresses as values.
+# The configuration allows for you to use host names, however, do
+# have some understanding how `hostname` will be resolved by the
+# nameserver before commiting to this strategy completely.
+#
+# Commandline equivalent -e
+#
+
+RADIUM_MONITOR_ID=`hostname`
+
+
+# If compiled to support this option, Radium is capable of
+# generating a lot of debug information.
+#
+# The default value is zero (0).
+#
+# Commandline equivalent -D
+#
+
+#RADIUM_DEBUG_LEVEL=0
+
+
+# Radium will periodically report on a its own health, providing
+# interface status, total packet and bytes counts, packet drop
+# rates, and flow oriented statistics.
+#
+# These records can be used as "keep alives" for periods when
+# there is no network traffic to be monitored.
+#
+# The default value is 60 seconds, but a value of 60 seconds is
+# very common.
+#
+# Commandline equivalent -M
+#
+
+RADIUM_MAR_STATUS_INTERVAL=60
+
+
+#
+# Radium can attach to any number of remote argus servers, and
+# collect argus data in real time. The syntax for this variable
+# is a hostname or a dot notation IP address, followed by an
+# optional port value, separated by a ':'. If the port is not
+# specified, the default value of 561 is used.
+#
+# Commandline equivalent -S <host[:port]>
+#
+
+#RADIUM_ARGUS_SERVER=amon:12345
+#RADIUM_ARGUS_SERVER=thoth:561
+#RADIUM_ARGUS_SERVER=apophis:562
+#RADIUM_ARGUS_SERVER=otherhost:50000
+
+
+# You can provide a filter expression here, if you like.
+# Radium will filter all input records based on this definition.
+# It should be limited to 2K in length. The default is to
+# not filter.
+#
+# No Commandline equivalent
+#
+
+#RADIUM_FILTER=""
+
+
+# Radium can adjust the timestamps in argus records as it receives
+# them, based on the measured time difference between radium()
+# and the sources. The variable takes a threshold value in
+# seconds, so you can specify when to make a correction.
+#
+# No Commandline equivalent
+#
+
+#RADIUM_ADJUST_TIME=5
+
+
+# Radium has filter capabilities that use a filter optimizer.
+# If there is a need to not use this filter optimizer,
+# you can turn it off here. The default is to leave it on.
+#
+# Commandline equivalent -O
+#
+
+#RADIUM_FILTER_OPTIMIZER=yes
+
+
+# Radium can read Cicso Netflow records directly from Cisco
+# routers. Specifying this value will alert Radium to open
+# a UDP based socket listening for data from this name or address.
+#
+# Commandline equivalent -C
+#
+
+#RADIUM_CISCONETFLOW_PORT=9996
+
+
+# When argus is compiled with SASL support, radium may be
+# required to authenticate to the argus data source before data
+# can be received. This variable will allow one to
+# set the user and authorization id's, if needed. Although
+# not recommended you can provide a password through the
+# RADIUM_AUTH_PASS variable. The format for this variable is:
+#
+# RADIUM_USER_AUTH="user_id/authorization_id"
+#
+# Commandline equivalent -U
+#
+
+#RADIUM_USER_AUTH=""
+#RADIUM_AUTH_PASS=""
+
+
+# Radium monitors can provide a real-time remote access port
+# for other programs to collect Radium data. This is a TCP based
+# port service and the default port number is tcp/561, the
+# "experimental monitor" service. This feature is disabled by
+# default, and can be forced off by setting it to zero (0).
+#
+# When you do want to enable this service, 561 is a good choice,
+# as all ra* clients are configured to try this port by default.
+#
+# Commandline equivalent -P
+#
+
+RADIUM_ACCESS_PORT=561
+
+
+#
+# Radium can write its output to one or a number of files,
+# default limit is 64 concurrent files, each with their own
+# independant filters.
+#
+# The format is:
+# RADIUM_OUTPUT_FILE=/full/path/file/name
+# RADIUM_OUTPUT_FILE=/full/path/file/name "filter"
+#
+# Most sites will have radium write to a file, for reliablity
+# and performance. The example file name used here supports
+# the archive program ./support/Archive/argusarchive
+# which is configured to use this file.
+#
+# Commandline equivalent -w
+#
+
+#RADIUM_OUTPUT_FILE=/var/log/argus/argus.out
+
--- /dev/null
+#!/bin/sh
+# Startup script for radium
+#
+# chkconfig: 2345 97 03
+# description: Run radium
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Get network config
+. /etc/sysconfig/network
+
+# Get service config
+[ -f /etc/sysconfig/radium ] && . /etc/sysconfig/radium
+
+# Check that networking is up.
+if is_yes "${NETWORKING}"; then
+ if [ ! -f /var/lock/subsys/network -a "$1" != stop -a "$1" != status ]; then
+ msg_network_down radium
+ exit 1
+ fi
+else
+ exit 0
+fi
+
+start() {
+ if [ ! -f /var/lock/subsys/radium ]; then
+ msg_starting radium
+ daemon radium -d "${LOG}" "${CONF}"
+ RETVAL=$?
+ [ $RETVAL -eq 0 ] && touch /var/lock/subsys/radium
+ else
+ msg_already_running radium
+ fi
+}
+
+stop() {
+ if [ -f /var/lock/subsys/radium ]; then
+ msg_stopping radium
+ killproc radium
+ rm -f /var/lock/subsys/radium
+ else
+ msg_not_running radium
+ RETVAL=7
+ fi
+}
+
+reload() {
+ if [ -f /var/lock/subsys/radium ]; then
+ msg_reloading radium
+ killproc radium -HUP
+ RETVAL=$?
+ else
+ msg_not_running radium
+ RETVAL=7
+ fi
+}
+
+RETVAL=0
+# See how we were called.
+case "$1" in
+ start)
+ start
+ ;;
+
+ stop)
+ stop
+ ;;
+
+ restart)
+ stop
+ start
+ ;;
+
+ reload|force-reload)
+ reload
+ ;;
+
+ status)
+ status radium
+ RETVAL=$?
+ ;;
+
+ *)
+ msg_usage "$0 {start|stop|reload|force-reload|status}"
+ exit 3
+esac
+
+exit $RETVAL
--- /dev/null
+/var/log/argus-clients/*log {
+ olddir /var/log/archiv/argus-clients
+ weekly
+ rotate 4
+ compress
+ create 660 root argus
+ postrotate
+ /sbin/service radium restart > /dev/null
+ endscript
+}
--- /dev/null
+# argus daemon startup configuration file
+
+# Try to define nice-level for running argus
+SERVICE_RUN_NICE_LEVEL="+0"
+
+# set argus log file
+LOG="-w /var/log/argus-clients/radium.log"
+
+# set conf file
+CONF="-f /etc/argus-clients/radium.conf"
--- /dev/null
+#
+# Argus Software
+# Copyright (c) 2000-2007 QoSient, LLC
+# All rights reserved.
+#
+# Permission to use, copy, modify, and distribute this software and
+# its documentation for any purpose and without fee is hereby granted,
+# provided that the above copyright notice appear in all copies and
+# that both that copyright notice and this permission notice appear
+# in supporting documentation, and that the name of QoSient not
+# be used in advertising or publicity pertaining to distribution of
+# the software without specific, written prior permission.
+#
+# QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
+# SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+# FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY
+# SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
+# RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
+# CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+#
+# Example ranonymize.conf
+#
+# Ranonymize will open this file and parse it to set common
+# configuration options.
+#
+# Values can be quoted to make string denotation easier, however, the
+# parser does not require that string values be quoted. To support this,
+# the parse will remove '\"' characters from input strings, so do not
+# use this character in strings themselves.
+#
+# Values specified as "" will be treated as a NULL string, and the parser
+# will ignore the variable setting.
+
+# Supported Options
+
+# Ranonymize allows you to specify the type of anonymization methods
+# used for a number of categories. The types are "sequential", "random",
+# "specific", "fixed" or "no" anonymization. Each is described below
+# as they appear in the configuration.
+#
+# ranonymize() uses various strategies to seed its random number
+# generator. If the user specifies a seed, then the srandon(seed)
+# function is used. If keyword "time" is used, then the system usec
+# value at the invocation is used. If the keyword "crypto" is used,
+# then the system call srandomdev() is used if available. If not,
+# the "time" method is used. Configuring with a specific seed value
+# in this configuration file, will generate deterministic values
+# which should result in assignments that are duplicated with
+# reach run.
+#
+
+RANON_SEED=crypto
+
+#
+# Ranonymize can anonymize any field in an Argus record. The
+# decision to anonymize a field should be guided by the sensitivity
+# of disclosure and the need to preserve a specific issue within
+# the data. By default, ranonymize will anonymize the most sensitive
+# data, time, flow identifiers, and network protocol specific data.
+# The available set of identiifers are:
+#
+# "srcid", "flow", "time", "metric", "agr", "net", "vlan", "mpls",
+# "jitter", "ipattr", "suser", "duser", "mac", "icmp", "tadj".
+#
+# Fields that are not mentioned in the anonymization strategy are
+# discarded.
+#
+
+RANON_FIELDS="time flow net"
+
+#
+# Most of the objects in argus data are composite objects, where
+# there are multiple fields and semantics, and to make matters
+# more complicated, for each object there are specific algorithms
+# that can be used to achieve the level of anonymity, desired.
+# These alogirhtms vary from preserving (no modification done),
+# constant shift, table lookup, code book and/or variou cryptographic
+# schemes that are designed to provide collaborative anonymity
+# for communicating parites.
+#
+# Ranonymize anonymizes various fields in Argus records, using a
+# set of default algorithms/strategies. The primary goal of
+# ranonymize() anonymization is to preserve the semantics of
+# common data objects, if those objects are retained in the
+# final product.
+#
+# Because ranonymize() also supports de-anonymization, the methods
+# used to obfuscate data, in some cases, must be reversible. This
+# is an important step to supporting distributed collaboration
+# through anonymization (i'll change my, and you'll change
+# your data so that the transformations generate the same values).
+#
+#
+# Objects such as the timestamps, transaction reference numbers,
+# sequence numbers, IP attributes are, by default, transposed by
+# a constant value, usually a negative constant value. This value
+# is specified either as a random number or explicitly in this
+# configuration, using the keyword "fixed", for fixed offset.
+# This general strategy preserves 1st, 2nd, xth order differentials
+# of the data. Values such as transaction duration are preserved,
+# distance or hop count (in the case of TTL), and derived measures
+# like loss.
+
+# In order to preserve relative time in the data, to support duration
+# one-way delay, and time based correlation strategies within the
+# data, anonymization of time involves subtracting a constant
+# value from the field in every argus record seen.
+# These values, if needed, can be defined by ranonymize or the user.
+# The anonymization method is "fixed" offset, and the constant
+# value can be specified by the user, "fixed:x", where x is a numerical
+# value, +/- 2^31, or chosen by ranonymize at random, "fixed:random",
+# where the random value is choosen from the same range as above.
+#
+
+RANON_TIME_SEC_OFFSET=random
+RANON_TIME_USEC_OFFSET=random
+
+
+RANON_TRANSREFNUM_OFFSET=fixed:82736487
+RANON_TRANSREFNUM_OFFSET=fixed:82736487
+RANON_SEQNUM_OFFSET=fixed:10234
+
+# Ranonymize allows you to specify the type of anonymization methods
+# used in a number of categories. For ethernet network and host
+# address conversion, ranonymize can support "sequential", "random",
+# "specific", "fixed" or "no" anonymization.
+
+# Sequential anonymization involves allocating new addresses in a
+# monotonically increasing fashion on a first come first serve basis.
+# For ethernet addresses this starts with the address xx:xx:xx:00:00:01,
+# where the xx:xx:xx is the vendor identification part, which could be
+# preserved, based on configuration (see below) or anonymized starting
+# with the value 00:00:00. For IP v4 addresses, the sequential address
+# range starts with the non-routable address space 10.0.0, by default.
+# Sequential randomization uses the least amount of memory and minimizes
+# anonymization processing time, however it does not offer the best
+# object scrambling method.
+#
+# As an example, if the first Argus record contained the addresses
+# 128.64.2.4 and 132.243.2.87 as source and destination, sequential
+# anonymization would generate the addresses 10.0.0.1 and 10.0.1.1
+# as the new source and destination addresses, because there are two
+# unique network parts, 128.64.2 -> 10.0.0, and 132.243.2 -> 10.0.1.
+# Host parts are sequentially allocated within the new network address
+# space, and because both addresses are first, they come up as 1.
+#
+# Random anonymization involves choosing a value from a pool
+# of random values. The type of anonymization, net, host,
+# ethernet, dictates the size of the pool of values.
+#
+# Random anonymization could generate 10.24.31.203 and 10.1.34.18
+# as examples, as both the 24 bit network parts would be allocated
+# randomly from the 10 network space, and the host address part
+# would be allocated randomly from the possible host addresses for
+# each allocated network space. Random anonymization provides better
+# address scrambling, as it is not dependant on address ordering, but
+# it is significantly more computationaly complex.
+
+# Ranonymize has the option to preserve specific aspects of ethernet
+# address semantics, such as vendor identification, and broadcast/
+# multicast use. These can be selected independantly.
+
+RANON_ETHERNET_ANONYMIZATION=sequential
+RANON_PRESERVE_ETHERNET_VENDOR=no
+RANON_PRESERVE_ETHERNET_BROADCAST=yes
+RANON_PRESERVE_ETHERNET_MULTICAST=yes
+
+RANON_NET_ANONYMIZATION=sequential
+RANON_HOST_ANONYMIZATION=sequential
+
+# The length of the network address part of IPv4 addresses is by
+# default 24 bits, but it can be set to any value < 32.
+
+RANON_NETWORK_ADDRESS_LENGTH=24
+
+# Ranonymize can be configured to perform specific network
+# address translation, regardless of the types of anonymization
+# that are being employed. These must be specified using the
+# configured network address length. These addresses are allocated
+# prior to any processing, and represent a culling from the available
+# anonymization address pool.
+#
+#Examples could be:
+#
+#RANON_SPECIFY_NET_TRANSLATION=192.168.0/24::128.2.134/24
+#RANON_SPECIFY_NET_TRANSLATION=64.12.0/24::134.5.0/24
+#RANON_SPECIFY_NET_TRANSLATION=128.2/24.0::200.200.0/24
+#
+#
+# Ranonymize can also be configured to perform specific host
+# address translation. Feel free to list as many addresses
+# that you would like.
+#
+#Examples would be:
+#
+#RANON_SPECIFY_HOST_TRANSLATION=192.168.0.64::128.2.34.5
+#
+
+# Ranonymize has the option to preserve the network address
+# hierarchy at various levels of granularity. This allows you to
+# preserve the addressing relationships between addresses.
+# The options are "cidr", "class" and "no".
+#
+# CIDR network address anoyminization specifies the length of
+# the network part for all address allocations. The default is
+# 24 bits.
+
+RANON_PRESERVE_NET_ADDRESS_HIERARCHY=cidr/24
+
+
+# Class network adddress heirarchy preservation, causes ranonymize()
+# to allocate new network addresses base on the address class. All
+# CLASSA network addresses will be allocated new addresses from the
+# Class A network pool. The Class option sets the NETWORK_ADDRESS_LENGTH
+# value to 24. Specifing "specific" network translations is allowed,
+# however these address will not be hierarchy preserving.
+
+#RANON_PRESERVE_NET_ADDRESS_HIERARCHY=class
+
+# Ranonymize has the option to preserve the broadcast address
+# relationship by not modifying host addresses of 0 and 255.
+
+RANON_PRESERVE_BROADCAST_ADDRESS=yes
+
+# Preserving Multicast addresses means mapping any IANA defined
+# IPv4 multicast address to another multicast address. While there
+# is no inherient semantic of network and host values for mulitcast
+# addresses, ranonymize treats multicast addresses as normal addresses
+# but allocated from a separate pool.
+# Semantics for network and host parts still apply as above.
+
+RANON_PRESERVE_MULTICAST_ADDRESS=yes
+
+
+# Ranonymize anonymizes the IP_ID value in IPv4 records, by adding
+# a constant value to the existing ip_id and wrapping where appropriate.
+# The constant value can be generated by ranonymize as "fixed:random",
+# or the user can provid a "fixed:x", where x is the fixed offset,
+# or the keyword "none" can be used to turn off the default
+#
+RANON_PRESERVE_IP_ID=fixed:random
+
+# Ranonymize can be configured to preserve specific ranges
+# of port numbers. For convenience, ranonymize() can be
+# configured to preserve the IANA well known port allocation
+# range (0-1023), the registered ports (1024-49151) and/or
+# the private port range (49152 - 65535). Also, ranonymize()
+# can be configured to preserve specific port numbers. These
+# numbers are independent of protocol type, so if port 23461
+# is to be preserved, it will be for both tcp and udp based
+# flows.
+#
+RANON_PRESERVE_WELLKNOWN_PORT_NUMS=yes
+RANON_PRESERVE_REGISTERED_PORT_NUMS=no
+RANON_PRESERVE_PRIVATE_PORT_NUMS=no
+
+
+# Ranonymize can be configured to use several methods for
+# anonymizing port values. "random", "fixed:random", "fixed:x"
+# and "no" anonymization. Random ensures that every port value
+# is allocated from a random pool, where the offset: methods
+# shift the port number by either a "random" amount, changing
+# on each invocation, or with a fixed offset of 'x', specified by the user.
+
+RANON_PORT_METHOD="offset:random"
+
+
+# There are a number of fields that are not subject to anonymization,
+# such as protocol types. These values, if not needed, can be zeroed
+# out, but upper protocol information, such as TCP base sequence numbers,
+# window performance etc.... need to be removed as needed.
+
+# By default, ranonymize() removes or zeroizes all other fields, in
+# the record, including TTL, TOS. Whole DSR's that are not anonymizable,
+# such as jitter values, user data contents, etc... are removed from the
+# record at anonymization time.
+
+
--- /dev/null
+#
+# Argus Software
+# Copyright (c) 2000-2007 QoSient, LLC
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+#
+# Example .rarc
+#
+# Ra* clients will open this file if its in the users HOME directory,
+# or in the $ARGUSHOME directory, and parse it to set common configuration
+# options. All of these values will be overriden by those options
+# set on the command line, or in the file specified using the -f option.
+#
+# Values can be quoted to make string denotation easier, however, the
+# parser does not require that string values be quoted. To support this,
+# the parse will remove '\"' characters from input strings, so do not
+# use this character in strings themselves.
+#
+# Values specified as "" will be treated as a NULL string, and the parser
+# will ignore the variable setting.
+
+#
+# All ra* clients can attach to a remote server, and collect argus data
+# in real time. This variable can be a name or a dot notation IP address.
+#
+#RA_ARGUS_SERVER=localhost:561
+
+
+# All ra* clients can read Cicso Netflow records directly from Cisco
+# routers. Specifying this value will alert the ra* client to open
+# a UDP based socket listening for data on this port number.
+#
+#RA_CISCONETFLOW_PORT=
+
+
+# Any ra* program can generate a pid file, which can be
+# used to control the number of instances that the system
+# can support. However, creating a system pid file may
+# require priviledges that are inappropriate for all cases.
+#
+# When configured to generate a pid file, if a file called
+# ra*.pid (where ra* is the name of the program in question)
+# exists in the RA_PID_PATH directory, and a program
+# exists with a pid that matches the one contained in the
+# file, then the program will not start. If the pid does
+# not exist, then the ra* program replaces the value in the
+# file, with its own pid. If a pid file does not exist,
+# then the ra* program will create it in the RA_PID_PATH
+# directory, if it can. The end result is that the system
+# will support only one instanace of the program, based
+# on name, running at a time.
+#
+# The default value is to not generate a pid. The default
+# path for the pid file, is /var/run.
+#
+# No Commandline equivalent
+#
+#
+RA_SET_PID="no"
+RA_PID_PATH="/var/run"
+
+
+# Argus supports the use of SASL to provide strong
+# authentication and confidentiality protection.
+#
+# When argus is compiled with SASL support, ra* clients may be
+# required to authenticate to the argus server before the argus
+# will accept the connection. This variable will allow one to
+# set the user and authorization id's, if needed. Although
+# not recommended you can provide a password through the
+# RA_AUTH_PASS variable. The format for this variable is:
+#
+# RA_USER_AUTH="user_id/authorization_id"
+#
+#RA_USER_AUTH="user/user"
+#RA_AUTH_PASS="password"
+
+# The clients can specify a part of the negotiation of the
+# security policy that argus uses. This is controlled through
+# the use of a minimum and maximum allowable protection
+# strength values. Set these variable to control this policy.
+#
+
+RA_MIN_SSF=0
+RA_MAX_SSF=128
+
+
+
+# All ra* clients can support writing its output as Argus Records into
+# a file. Stdout can be specified using "-".
+#
+#RA_OUTPUT_FILE=""
+
+
+# All ra* clients can support filtering its input based on a time
+# range. The format is:
+# timeSpecification[-timeSpecification]
+#
+# where the format of a timeSpecification can be one of these:
+# [mm/dd[/yy].]hh[:mm[:ss]]
+# mm/dd[/yy]
+#
+#RA_TIMERANGE=""
+
+
+# All ra* clients can support running for a number of seconds,
+# while attached to a remote source of argus data. This is a type
+# of polling. The default is zero (0), which means run indefinately.
+#
+RA_RUN_TIME=0
+
+
+# Most ra* clients are designed to print argus records out in ASCII,
+# with each client supporting its own output formats. For ra() like
+# clients, this variable will generate column headers as labels.
+# The number is the number of lines between repeated header output.
+# Setting this value to zero (0) will cause the labels to be printed
+# once. If you don't want labels, then comment this line out or
+# delete it.
+#
+#
+RA_PRINT_LABELS=0
+
+
+# All ra* clients are designed to provide flexibility in what data
+# is printed when configured to generate ASCII output.
+# For ra() like clients, this variable overide the default field
+# printing specification. This is the equivalent to the "-s option".
+# The below example is the default field definition.
+#
+RA_FIELD_SPECIFIER="stime flgs proto saddr sport dir daddr dport pkts bytes state"
+
+
+# Most ra* clients are designed to print argus records out in ASCII,
+# with each client supporting its own output formats. For ra() like
+# clients, this variable can overide the default field delimiter,
+# which are variable spans of space (' '), to be any character.
+# The most common are expected to be '\t' for tabs, and ',' for
+# comma separated fields.
+#
+RA_FIELD_DELIMITER=''
+
+
+# For ra() like clients, this variable will control the
+# translation of numbers to names, such as resolving hostnames,
+# and print port or protocol names. There can be a huge performance
+# impact with name lookup, so the default is to not resolve hostnames.
+#
+# Valid options are 'none' to print no names, 'proto'
+# translate the protocol names, 'port' to translate
+# port names, and 'all' to translate all fields. An
+# invalid value will default to 'port', silently.
+#
+RA_PRINT_NAMES=port
+
+
+# For ra() like clients, this variable will include the response
+# data that is provided by Argus. This is protocol and state
+# specific.
+#
+RA_PRINT_RESPONSE_DATA=no
+
+
+# For ra() like clients, this variable will force the timestamp
+# to be in Unix time format, which is an integer representing the
+# number of elapsed seconds since the epoch.
+#
+RA_PRINT_UNIX_TIME=no
+
+
+# For ra() like clients, the format that is used to print
+# timestamps, is based on the strftime() library call, with
+# an extension to print fractions of a sec "%f". The
+# default is "%T.%f". You can overide this default time
+# format by setting this variable. This string must conform
+# to the format specified in strftime(). Malformed strings can
+# generate interesting output, so be aware with this one, and
+# don't forget the '.' when doing fractions of a second.
+#
+RA_TIME_FORMAT="%T.%f"
+
+
+# The timezone used for timestamps is specified by the
+# tzset() library routines, and is normally specified by
+# factors such as the TZ environment variable found on
+# most machines. You can override the TZ environment variable
+# by specifying a time zone using this variable. The format
+# of this string must conform to the format specified by
+# tzset(3).
+#
+#RA_TZ="EST5EDT4,M3.2.0/02,M11.1.0/02"
+
+
+# For ra() like clients, this variable is used to override the
+# time format of the timestamp. This variable specifies the
+# number of decimal places that will be printed as the fractional
+# part of the time. Argus collects usec precision, and so a
+# maximum value of 6 is supported. To not print the fractional
+# part, specify the value zero (0).
+#
+RA_USEC_PRECISION=6
+
+
+# Argus can capture user data. When printing out the user data
+# contents, using tools such as raxml(), the type of encoding
+# can be specified here. Supported values are "Ascii", "Encode64",
+# or "Encode32".
+#
+#RA_USERDATA_ENCODE=Encode32
+#RA_USERDATA_ENCODE=Encode64
+RA_USERDATA_ENCODE=Ascii
+
+# If compiled to support this option, ra* clients are capable
+# of generating a lot of use [full | less | whatever] debug
+# information. The default value is zero (0).
+#
+RA_DEBUG_LEVEL=0
+
+# Ra style clients use a non-blocking method to connect to
+# remote data sources, so the user can control how long to
+# wait if a remote source doesn't respond. This variable sets
+# the number of seconds to wait. This number should be set to
+# a reasonable value (5 < value < 60). The default value is
+# 10 seconds.
+#
+#RA_CONNECT_TIME=10
+
+
+# You can provide a filter expression here, if you like.
+# It should be limited to 2K in length. The default is to
+# not filter.
+#
+#RA_FILTER=""
+
+
+# Some ra* clients have an interval based function. Ratop, as an
+# example, can refresh the screen at a fixed interval. This variable
+# can be set using the RA_UPDATE_INTERVAL variable, which is a
+# float in seconds. 0.5 seconds is the default.
+#
+#RA_UPDATE_INTERVAL=0.5
--- /dev/null
+#
+# Conditional build:
+%bcond_without sasl # build with sasl support
+#
+%define _ver_major 3.0
+%define _ver_minor 0
+%define _rc rc.40
+%define _rel 0.1
+Summary: Real time network flow monitor
+Summary(pl.UTF-8): Monitor obciążenia sieci czasu rzeczywistego
+Name: argus-clients
+Version: %{_ver_major}.%{_ver_minor}
+Release: 0.%{_rc}.%{_rel}
+License: GPL v2
+Group: Applications/Networking
+Source0: ftp://qosient.com/dev/argus-%{_ver_major}/%{name}-%{version}.%{_rc}.tar.gz
+# Source0-md5: 78ad75c148f1ee7b48d0c3029c4be7e4
+Source1: %{name}-excel.rc
+Source2: %{name}-racluster.conf
+Source3: %{name}-radium.conf
+Source4: %{name}-radium.init
+Source5: %{name}-radium.sysconfig
+Source6: %{name}-radium.logrotate
+Source7: %{name}-ranonymize.conf
+Source8: %{name}-ra.print.all.conf
+Source9: %{name}-rarc
+URL: http://www.qosient.com/argus/
+BuildRequires: bison
+%{?with_sasl:BuildRequires: cyrus-sasl-devel}
+BuildRequires: flex
+BuildRequires: rpmbuild(macros) >= 1.268
+Requires(post,preun): /sbin/chkconfig
+Requires: rc-scripts
+Provides: group(argus)
+Provides: user(argus)
+BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+
+%description
+Argus is a Real Time Flow Monitor designed to track and report on the
+status and performance of all network transactions seen in a data
+network traffic stream. It is similiar to Cisco NetFlow, however more
+powerful and with different data format.
+
+This package provides variuos methods to process and present the data.
+
+%description -l pl.UTF-8
+Argus jest monitorem sieci czasu rzeczywistego zaprojektowanym do
+śledzenia i raportowania stanu sieci oraz wszelkiego typu transakcji
+strumieni danych. Jest bardzo podobny do NetFlow z Cisco, jednak
+bardziej rozbudowany i posiada inny format danych.
+
+Ta paczka dostarcza różnych metod do przetwarzania i prezentowania
+danych.
+
+%prep
+%setup -q -n %{name}-%{version}.%{_rc}
+
+%build
+%configure \
+ --with%{!?with_sasl:out}-sasl
+%{__make}
+
+%install
+rm -rf $RPM_BUILD_ROOT
+
+install -d $RPM_BUILD_ROOT%{_sysconfdir}/%{name}
+install -d $RPM_BUILD_ROOT/etc/{logrotate.d,rc.d/init.d,sysconfig}
+install -d $RPM_BUILD_ROOT%{_var}/log/%{name}
+
+install %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/excel.rc
+install %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/racluster.conf
+install %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/radium.conf
+install %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/randomize.conf
+install %{SOURCE8} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/ra.print.all.conf
+install %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/rarc
+
+install %{SOURCE4} $RPM_BUILD_ROOT/etc/rc.d/init.d/radium
+install %{SOURCE5} $RPM_BUILD_ROOT/etc/sysconfig/radium
+install %{SOURCE6} $RPM_BUILD_ROOT/etc/logrotate.d/radium
+
+touch $RPM_BUILD_ROOT%{_var}/log/%{name}/radium.log
+
+%{__make} install \
+ DESTDIR=$RPM_BUILD_ROOT
+
+# same file is in argus.spec
+mv $RPM_BUILD_ROOT%{_bindir}/argusbug $RPM_BUILD_ROOT%{_bindir}/argusbug-clients
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%pre
+%groupadd -g 214 argus
+%useradd -u 214 -d /usr/share/empty -s /bin/sh -g argus -c "argus daemon" argus
+
+%post
+/sbin/chkconfig --add radium
+%service radium restart
+
+%preun
+if [ "$1" = "0" ]; then
+ %service -q radium stop
+ /sbin/chkconfig --del radium
+fi
+
+%files
+%defattr(644,root,root,755)
+%doc CREDITS ChangeLog README doc/{CHANGES,FAQ,HOW-TO}
+%attr(755,root,root) %{_bindir}/argusbug-clients
+%attr(755,root,root) %{_bindir}/ra
+%attr(755,root,root) %{_bindir}/rabins
+%attr(755,root,root) %{_bindir}/racluster
+%attr(755,root,root) %{_bindir}/racount
+%attr(755,root,root) %{_bindir}/ragraph
+%attr(755,root,root) %{_bindir}/ragrep
+%attr(755,root,root) %{_bindir}/rahisto
+%attr(755,root,root) %{_bindir}/ranonymize
+%attr(755,root,root) %{_bindir}/rapath
+%attr(755,root,root) %{_bindir}/rapolicy
+%attr(755,root,root) %{_bindir}/rasort
+%attr(755,root,root) %{_bindir}/rasplit
+%attr(755,root,root) %{_bindir}/rastrip
+%attr(755,root,root) %{_bindir}/ratemplate
+%attr(755,root,root) %{_bindir}/ratop
+%attr(755,root,root) %{_sbindir}/radium
+%attr(754,root,root) /etc/rc.d/init.d/radium
+%dir %{_sysconfdir}/%{name}
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/excel.rc
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/racluster.conf
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/radium.conf
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/randomize.conf
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/ra.print.all.conf
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/rarc
+%config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/radium
+%config(noreplace) %verify(not md5 mtime size) /etc/logrotate.d/radium
+%{_mandir}/man1/ra.1.gz
+%{_mandir}/man1/rabins.1.gz
+%{_mandir}/man1/racluster.1.gz
+%{_mandir}/man1/racount.1.gz
+%{_mandir}/man1/ragraph.1.gz
+%{_mandir}/man1/ragrep.1.gz
+%{_mandir}/man1/rahisto.1.gz
+%{_mandir}/man1/rasort.1.gz
+%{_mandir}/man1/rasplit.1.gz
+%{_mandir}/man1/rastrip.1.gz
+%{_mandir}/man5/racluster.5.gz
+%{_mandir}/man5/radium.conf.5.gz
+%{_mandir}/man5/rarc.5.gz
+%{_mandir}/man8/radium.8.gz
+%attr(770,root,argus) %dir %{_var}/log/%{name}
+%attr(660,root,argus) %ghost %{_var}/log/%{name}/radium.log
projects / packages / argus-clients.git / commitdiff