# 
#  Argus Client Software.  Tools to read, analyze and manage Argus data.
#  Copyright (c) 2000-2003 QoSient, LLC
#  All rights reserved.
# 
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
# 
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
# 
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
# 
#
# Ragator Aggregation Policy Configuration
#
# Carter Bullard
# QoSient, LLC
#
#
#   This configuration is a ragator(1) flow model configuration file.
#
#   The concept is that one identifies specific Argus Flow Activity
#   Records through specification of an ArgusFlow matching statement.
#   The matching statement references a flow model that is used to
#   modify the flow description of each transaction.   Records are
#   aggregated based on matches of the modified flow description.
#   In each statement is a TimeOut period, which is how long ragator()
#   will hold the aggregated record before reporting it.
#
#   If a record doesn't match any statement in the configuration,
#   then it is aggregated based on its unmodified flow descriptor.
#
#   An ArgusFlow matching statement specifies values for the fields
#   src and dst IP address, the protocol, and for TCP and UDP, the
#   src and dst port numbers.
#
#   '*' denotes 'any' value.
#
#   Proto field can be any valid IP protocol number, or the keywords,
#   found in the /etc/protocols file.  For systems that do not support
#   /etc/protocols, ragator() understands 'tcp', 'udp', 'icmp',
#   and 'igmp' tokens on its own.
#
#   Port values can be any valid key word in the /etc/services file,
#   or, of course, numbers.
#
#   When the protocol is 'icmp', the values after the Proto field
#   are valid ICMP type and code values.  Valid icmp types are:
#        echo
#        unreach
#        srcquench
#        redirect
#        timexed
#        timestamp
#        info
#        address
#
#   Numbers can be specified in decimal or as hex with the 0x prefix.
#
#   Here is a valid and simple configuration:
#
#      Argus records are matched in falling order, so you will test Argus
#      records against the flow descriptors in decending order.  In our
#      example that will be flow 100 then 101. Flow Id numbers are used
#      only to report syntax errors in the configuration, so don't worry.
#      about these numbers.
#
#      All Model Id numbers must be unique, and references to Model Id
#      numbers must be valid for this configuration.
#
#      This configuration is designed simply to specify a timeout value for
#      flows.  Flow 100 matches all tranactions, and indicates that ragator
#      should use FlowModel 200 to aggregate the matching records.  The
#      aggregate will be held for 60 seconds and then reported.  
#
#
#RAGATOR_MODEL_NAME=Test Configuration
#RAGATOR_PRESERVE_FIELDS=yes
#RAGATOR_PRESERVE_FIELDS=yes
#RAGATOR_REPORT_AGGREGATION=yes
#RAGATOR_AUTO_CORRECTION=no

#
# 
#     id      SrcCIDRAddr  DstCIDRAddr  Proto SPort DPort Model Dur Idle
Flow  100 ip      *            *          *     *    *     200   60  0

# TCP and UDP Flow Model Definitions
# label  id      SrcAddrMask     DstAddrMask    Proto  SPort DPort

Model 200 ip  255.255.255.255  255.255.255.255   yes    yes   yes