Argus + Tomcat + Mysql + Java

1. Install Open-JDK

  • yum install java-1.*.*-openjdk

2. Download Tomcat

  • Go to “http://tomcat.apache.org” page, click corresponding tomcat version and get the link.
  • in command-line : run command like “wget http://apache.tt.co.kr/tomcat/tomcat-7/v7.0.47/bin/apache-tomcat-7.0.47.zip
  • unzip that file: “unzip **.zip”
  • get in to the “apache-tomcat-*.*.*/webapps/ROOT” directory and delete all the files in there.
  • copy and paste your  WEBCONTENT to that directory.
  • go to the directory “apache-tomcat-*.*.*/bin”, in commandline “startup.sh” [PS. do the chmod 755 to the *.sh files if they aren’t runable]
  • then you can see the tomcat started to run. If you want to see the logs from the tomcat, vi the <startup.sh> file change “exec “$PRGDIR”/”$EXECUTABLE” start “$@”” to “exec “$PRGDIR”/”$EXECUTABLE” run “$@””.
  • Open the Web-Browser and type “127.0.0.1:8080” to check the tomcat works or not.

3. Argus

  • Prepare-Works:

Get into mysql:

mysql -u root -p
Enter password:

Create database:

create database argusData;

Create a new User:

grant all on arugsData.* to argusUser@localhost identified by 'argusPassword';
GRANT ALL PRIVILEGES ON argusData.* TO 'argusUser'@'%';
flush privileges;
  • Running the argus in net-packet sending part.
    • in root mode or a user with root privilege, in command-line “argus -P 3434 -m”, and wait for clients to connect.
  • Running the argus Client.
    • Run command: “rasqlinsert -M cache -m none -S 127.0.0.1:3434 -w mysql://argusUser:argusPassword@127.0.0.1/argusData/argusTable -s +loss”, then there will be no primary-key option with option command “-m none” and with “-s +loss” it will add packet loss column to the DB. [PS. Instead of using “localhost”, it’s better using the “127.0.0.1” since the tomcat may run it only with IPV4.]
  • Then the argus Client will receive the data from the server-side and store them to the DB continuously.
  • Check-up the data in the ArgusData DB:
    • select stime,flgs,proto,saddr,sport,dir,daddr,dport,pkts,bytes,state,loss,length(record) as len from argusTable;
  • The other way to run the argus-server and argus-client:

We can also run the argus-Radium in the between argus-servers and argus-clients, so that the radium will be collecting all the data from servers and provide them to the clients.

Argus Server:
./argus -P 3434 –m

[PS. Here –m option means “Provide MAC addresses information in argusrecords”]

[Runing “ratop -S 127.0.0.1:3434” can check wheter it works fine on server.]

Argus Radium:
./radium -S 127.0.0.1:3434 -S 192.168.0.89:3434 -P 4545

Argus Client:
./rasqlinsert -M cache -m none -S 127.0.0.1:4545 -w mysql://argusUser:argusPassword@127.0.0.1/argusData/argusTable

    • Details in Argus Client
      • rasqlinsert “-m” option
        • ./rasqlinsert -M cache -m proto saddr sport daddr dport  -S localhost:3434 -w mysql://argusUser:argusPassword@localhost/argusData/argusTable8
        • ./rasqlinsert -m none -S localhost:3434 -w mysql://argusUser:argusPassword@localhost/argusData/argusTable9
        • Difference between the table “argusTable8” and “argusTable9” will be like that:

mysql> desc argusTable8;
+——–+———————–+——+—–+———+——-+
| Field  | Type                  | Null | Key | Default | Extra |
+——–+———————–+——+—–+———+——-+
| stime  | double(18,6) unsigned | NO   |     | NULL    |       |
| flgs   | varchar(32)           | YES  |     | NULL    |       |
| proto  | varchar(16)           | NO   | PRI | NULL    |       |
| saddr  | varchar(64)           | NO   | PRI | NULL    |       |
| sport  | varchar(10)           | NO   | PRI | NULL    |       |
| dir    | varchar(3)            | YES  |     | NULL    |       |
| daddr  | varchar(64)           | NO   | PRI | NULL    |       |
| dport  | varchar(10)           | NO   | PRI | NULL    |       |
| pkts   | bigint(20)            | YES  |     | NULL    |       |
| bytes  | bigint(20)            | YES  |     | NULL    |       |
| state  | varchar(32)           | YES  |     | NULL    |       |
| record | blob                  | YES  |     | NULL    |       |
+——–+———————–+——+—–+———+——-+
12 rows in set (0.00 sec)

mysql> desc argusTable9;
+——–+———————–+——+—–+———+——-+
| Field  | Type                  | Null | Key | Default | Extra |
+——–+———————–+——+—–+———+——-+
| stime  | double(18,6) unsigned | NO   |     | NULL    |       |
| flgs   | varchar(32)           | YES  |     | NULL    |       |
| proto  | varchar(16)           | NO   |     | NULL    |       |
| saddr  | varchar(64)           | NO   |     | NULL    |       |
| sport  | varchar(10)           | NO   |     | NULL    |       |
| dir    | varchar(3)            | YES  |     | NULL    |       |
| daddr  | varchar(64)           | NO   |     | NULL    |       |
| dport  | varchar(10)           | NO   |     | NULL    |       |
| pkts   | bigint(20)            | YES  |     | NULL    |       |
| bytes  | bigint(20)            | YES  |     | NULL    |       |
| state  | varchar(32)           | YES  |     | NULL    |       |
| record | blob                  | YES  |     | NULL    |       |
+——–+———————–+——+—–+———+——-+
12 rows in set (0.00 sec)

The argusTable8 will make those keys in “-m” option to primary-key, and like argustable9 “none” means no-primary-key.

    • “-r” read the data from the specified url, “-w” write to xxxx, “-M” specifies the SQL Clause.
      • ./rasql -r mysql://argusUser:argusPassword@localhost/argusData/argusTable -M sql=”saddr=’203.241.147.42′ or daddr=’192.168.0.65′”
      • rasql -r mysql://argusUser:argusPassword@localhost/argusData/argusTable –w <writeFileName>  —> it will read the DB and write it to the file. for ex. fileName = lalala.argus
    • “-t” specifies a time range for selecting the data, it selects data from “-xxx” to the “+xxx” time-period Records.
      • ./rasql -r mysql://argusUser:argusPassword@localhost/argusData/argusTable -t -2d11h48m+5m
      • This Example shows the 5minutes records starting from yesterday 11:48
    • ./ratimerange -r lalala.argus [PS. “lalaa.argus” represents a argus-data]
      • Prints the time-range from that argus-data.
    • ./rarpwatch -r mamama.argus
      • IPv4 and IPv6 arpwatch.
    • ./racluster -M rmon -m saddr daddr –r <argus-fileName> -s saddr daddr proto spkts dpkts sbytes dbytes
      • racluster will then cluster the records from the argusFile by the “-m <key option>”  and show the result with “-s <key option>”.
    • ./rasqlinsert -M cache -m none -S localhost:3434 -w mysql://argusUser:argusPassword@localhost/argusData/argusTable5 -s +ltime +seq +dur +mean +stddev  +smac +dmac
      • use “-s” option to specify the additional key option for argus-data.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s