Hi Georgios, You can make the mapping specific to a plugin no problem, ie.:
plugins: print[inbound], print[outbound] ! pre_tag_map[inbound]: /path/to/pretag-inbound.map ! [.. ] ! pre_tag_map[outbound]: /path/to/pretag-outbound.map ! [ .. ] ! Paolo On Mon, Nov 13, 2017 at 10:49:59AM +0100, Georgios Kaklamanos wrote: > Hi Paolo, > > Glad I could help. > > Just a note though. To my understanding, if this mapping is global, then > a packet with source IP in the first range, and destination IP in the > second, will only get the first label, after the first rule matches. > > So if one does aggregates based on dst_host / src_host, and also uses > the label, then there should be two different mapping files, one for > inbound and one for outbound, with mappings only for destination / > source IP accordingly. > > Any thoughts on this? > > Best, > George > > On 11/11/2017 01:48 PM, Paolo Lucente wrote: > > > > Hi Georgios, > > > > Very cool, thanks for sharing this. I think there is also good material > > for me for extra documentation here. > > > > Paolo > > > > On Fri, Nov 10, 2017 at 06:40:56PM +0100, Georgios Kaklamanos wrote: > >> Hi, > >> > >> Ok, it was an error from my part. > >> > >> The filter syntax expects to specify the addresses in hex format and > >> compare it with the specific octets of the IP packet that define the > >> source IP and the destination IP. > >> > >> So for the previous example where I want to have: > >> > >> labelA: 192.168.0.1 - 192.168.0.100 > >> labelB: 192.168.0.101 - 192.168.0.200 > >> > >> The relevant entries in the pre_tag_map are: > >> > >> set_label=LabelA filter='((ip[12:4] >= 0xC0A80001) and (ip[12:4] <= > >> 0xC0A80064)) or ((ip[16:4] >= 0xC0A80001) and (ip[16:4] <= 0xC0A80064))' > >> > >> set_label=LabelB filter='((ip[12:4] >= 0xC0A80065) and (ip[12:4] <= > >> 0xC0A800C8)) or ((ip[16:4] >= 0xC0A80065) and (ip[16:4] <= 0xC0A800C8))' > >> > >> where the: > >> - ip[12:4] is the source ip > >> - ip[16:4] is the dest ip > >> > >> So far it seems to be working, so I'm just putting here for future > >> reference. ;-) > >> > >> Best, > >> Georgios > >> > >> Ref: https://isc.sans.edu/diary/IP+Address+Range+Search+with+libpcap/6667 > >> > >> On 11/10/2017 05:16 PM, Georgios Kaklamanos wrote: > >>> Dear Paolo, > >>> > >>> Thanks for the fast reply. > >>> > >>> My main issue is that some of the ranges we have, do not fit into subnets. > >>> > >>> For example: > >>> > >>> labelA: 192.168.0.1 - 192.168.0.100 > >>> labelB: 192.168.0.101 - 192.168.0.200 > >>> > >>> That is why I was trying to play around with the less than / greater > >>> than operators, combined with "and". > >>> > >>> Would something like that be possible too? > >>> > >>> Best, > >>> Georgios > >>> > >>> > >>> On 11/10/2017 04:57 PM, Paolo Lucente wrote: > >>>> > >>>> Hi Georgios, > >>>> > >>>> The 'filter' keyword in pre_tag_map accepts a libpcap/tcpdump filter > >>>> syntax - what you would find working as a filter in tcpdump, should work > >>>> here too. To express IP ranges, you should use IP subnets, for example: > >>>> > >>>> set_label=labelA filter='net 192.168.0.0/17' > >>>> set_label=labelB filter='net 192.168.128.0/17' > >>>> > >>>> Paolo > >>>> > >>>> On Fri, Nov 10, 2017 at 01:55:18PM +0100, Georgios Kaklamanos wrote: > >>>>> Hello, > >>>>> > >>>>> On nfacctd, I'm trying to apply labels on IP ranges, that can't always > >>>>> be defined by subnets. > >>>>> > >>>>> For example I want: > >>>>> - IPs from 192.168.0.1 to 192.168.127.254, to get "labelA" > >>>>> - IPs from 192.168.128.1 to 192.168.255.254, to get "labelA" > >>>>> > >>>>> > >>>>> At the Pre-Tagging map example, it says that the filter key, expects the > >>>>> expression on libpcap syntax. > >>>>> > >>>>> So I tried the following: > >>>>> > >>>>> set_label=labelA filter='(ip >= 192.168.0.1) and (ip <= > >>>>> 192.168.127.254)' > >>>>> set_label=labelB filter='(ip >= 192.168.128.1) and (ip <= > >>>>> 192.168.255.254)' > >>>>> > >>>>> And it didn't work, and neither did the following, where I'm using the > >>>>> int / hex representation of the IP. > >>>>> > >>>>> set_label=labelA filter='(ip >= 3232235521) and (ip <= 3232268286)' > >>>>> set_label=labelB filter='(ip >= 3232268289) and (ip <= 3232301054)' > >>>>> > >>>>> set_label=labelA filter='(ip >= 0xC0A80001) and (ip <= 0xC0A87FFE)' > >>>>> set_label=labelB filter='(ip >= 0xC0A88001) and (ip <= 0xC0A8FFFE)' > >>>>> > >>>>> I'm always getting "malformed filter: syntax error" > >>>>> > >>>>> So any suggestions on how to solve this? > >>>>> > >>>>> Is it really a syntax error, or the range cannot be defined this way? > >>>>> > >>>>> Thank you for your time. > >>>>> > >>>>> Best Regards, > >>>>> Georgios Kaklamanos > >>>>> > >>>>> > >>>>> -- > >>>>> ------------------------------------------------------------------ > >>>>> Georgios Kaklamanos > >>>>> Research Assistant, e-Science Group, GWDG > >>>>> mailto: [email protected] > >>>>> Telefon: 0551 201-26803 > >>>>> ------------------------------------------------------------------ > >>>>> GWDG - Gesellschaft für wissenschaftliche > >>>>> Datenverarbeitung mbH Göttingen > >>>>> Am Faßberg 11, 37077 Göttingen, Germany > >>>>> > >>>>> WWW: www.gwdg.de mailto: [email protected] > >>>>> Phone: +49 (0) 551 201-1510 > >>>>> Fax: +49 (0) 551 201-2150 > >>>>> ------------------------------------------------------------------ > >>>>> Geschäftsführer: Prof. Dr. Ramin Yahyapour > >>>>> Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger > >>>>> Sitz der Gesellschaft: Göttingen > >>>>> Registergericht: Göttingen > >>>>> Handelsregister-Nr. B 598 > >>>>> ------------------------------------------------------------------ > >>>>> Zertifiziert nach ISO 9001 > >>>>> ------------------------------------------------------------------ > >>>>> > >>>> > >>>> > >>>> > >>>>> _______________________________________________ > >>>>> pmacct-discussion mailing list > >>>>> http://www.pmacct.net/#mailinglists > >>>> > >>>> > >>>> _______________________________________________ > >>>> pmacct-discussion mailing list > >>>> http://www.pmacct.net/#mailinglists > >>>> > >>> > >>> > >>> > >>> _______________________________________________ > >>> pmacct-discussion mailing list > >>> http://www.pmacct.net/#mailinglists > >>> > >> > >> -- > >> ------------------------------------------------------------------ > >> Georgios Kaklamanos > >> Research Assistant, e-Science Group, GWDG > >> mailto: [email protected] > >> Telefon: 0551 201-26803 > >> ------------------------------------------------------------------ > >> GWDG - Gesellschaft für wissenschaftliche > >> Datenverarbeitung mbH Göttingen > >> Am Faßberg 11, 37077 Göttingen, Germany > >> > >> WWW: www.gwdg.de mailto: [email protected] > >> Phone: +49 (0) 551 201-1510 > >> Fax: +49 (0) 551 201-2150 > >> ------------------------------------------------------------------ > >> Geschäftsführer: Prof. Dr. Ramin Yahyapour > >> Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger > >> Sitz der Gesellschaft: Göttingen > >> Registergericht: Göttingen > >> Handelsregister-Nr. B 598 > >> ------------------------------------------------------------------ > >> Zertifiziert nach ISO 9001 > >> ------------------------------------------------------------------ > >> > > > > > > > >> _______________________________________________ > >> pmacct-discussion mailing list > >> http://www.pmacct.net/#mailinglists > > > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > > -- > ------------------------------------------------------------------ > Georgios Kaklamanos > Research Assistant, e-Science Group, GWDG > mailto: [email protected] > Telefon: 0551 201-26803 > ------------------------------------------------------------------ > GWDG - Gesellschaft für wissenschaftliche > Datenverarbeitung mbH Göttingen > Am Faßberg 11, 37077 Göttingen, Germany > > WWW: www.gwdg.de mailto: [email protected] > Phone: +49 (0) 551 201-1510 > Fax: +49 (0) 551 201-2150 > ------------------------------------------------------------------ > Geschäftsführer: Prof. Dr. Ramin Yahyapour > Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger > Sitz der Gesellschaft: Göttingen > Registergericht: Göttingen > Handelsregister-Nr. B 598 > ------------------------------------------------------------------ > Zertifiziert nach ISO 9001 > ------------------------------------------------------------------ > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
