SiLK

NAME

ipafilter - SiLK plug-in for flow filtering based on IPA data

SYNOPSIS

  rwfilter [--ipa-src-expr IPA_EXPR] [--ipa-dst-expr IPA_EXPR]
        [--ipa-any-expr IPA_EXPR] ...

DESCRIPTION

The ipafilter plug-in provides switches to rwfilter(1) that can partition flows using data in an IPA database. rwfilter will automatically load the ipafilter plug-in when it is available.

OPTIONS

The ipafilter plug-in provides the following options to rwfilter.

--ipa-src-expr=IPA_EXPR

Use IPA_EXPR to filter flows based on the source IP of the flow matching the IPA_EXPR expression.

--ipa-dst-expr=IPA_EXPR

Use IPA_EXPR to filter flows based on the destination IP of the flow matching the IPA_EXPR expression.

--ipa-any-expr=IPA_EXPR

Use IPA_EXPR to filter flows based on either the source or destination IP of the flow matching the IPA_EXPR expression.

IPA EXPRESSIONS

The syntax for IPA filter expressions is documented in ipaquery(1). Some simple examples are shown in the EXAMPLES section below.

EXAMPLES

In the following examples, the dollar sign ($) represents the shell prompt. The text after the dollar sign represents the command line. Lines have been wrapped for improved readability, and the back slash (\) is used to indicate a wrapped line.

To pull flows from or to any IP address in the "watch" catalog:

 $ rwfilter --start-date 2010/01/01:00                  \
        --ipa-any-expr "in watch at 2010/01/01"         \
        --pass watchflows.rw

To pull flows from any IP labeled "bad" in the last year:

 $ rwfilter --start-date 2010/01/01:00                  \
        --ipa-src-expr "label bad after 2009/01/01"     \
        --pass badguys.rw

ENVIRONMENT

SILK_PATH

This environment variable gives the root of the install tree. When searching for configuration files and plug-ins, rwfilter may use this environment variable. See the "FILES" section for details.

SILK_PLUGIN_DEBUG

When set to 1, rwfilter prints status messages to the standard error as it attempts to find and open the ipafilter.so plug-in. A typical invocation using this variable is

 env SILK_PLUGIN_DEBUG=1 rwfilter --plugin=ipafilter.so --version

FILES

$SILK_PATH/share/silk/silk-ipa.conf

$SILK_PATH/share/silk-ipa.conf

/usr/share/silk/silk-ipa.conf

/usr/share/silk-ipa.conf

Possible locations for the IPA configuration file. This file contains the URI for connecting to the IPA database. If the configuration file does not exist, attempts to use the ipafilter plug-in will exit with an error. The format of this URI is driver://user:pass-word@hostname/database. For example:

 postgresql://ipauser:secret@database-server.domain.com/ipa

${SILK_PATH}/lib64/silk/ipafilter.so

${SILK_PATH}/lib64/ipafilter.so

${SILK_PATH}/lib/silk/ipafilter.so

${SILK_PATH}/lib/ipafilter.so

/usr/lib64/silk/ipafilter.so

/usr/lib64/ipafilter.so

/usr/lib/silk/ipafilter.so

/usr/lib/ipafilter.so

Possible locations for the plug-in.

SEE ALSO

rwfilter(1), rwipaimport(1), rwipaexport(1), silk(7), ipaquery(1), ipaimport(1), ipaexport(1)