Manual Reference Pages - DLEX (8)

NAME

dlex - the shoki doctrine lexer

Synopsis
Description
Options
Files
Authors
Bugs
See Also

SYNOPSIS

dlex [-b dbname] [-c max_count] [-C conf_file] [-D chrdir] [-E stop] [-f] [-h] [-l linktype] [-L logfname] [-o] [-p sample] [-P pidfile] [-R] [-s snaplen] [-S start] [-t] [-U luser] [-v verbosity]

DESCRIPTION

dlex is a daemon which monitors the doctrine_filters table in the shoki database and runs any filters it finds against the relevant raw dumpfiles. The filter processing logic is identical to the lexer(1) widget, and the arguments dlex accepts are mostly equivalent to those that accepted by lexer(1).
The doctrine_filters table is populated by the ooda(8) widget, and dlex cleans up after itself. As a result, dlex should require comparatively little administrator intervention. For more information about the inner workings of dlex and ooda(8) consult the ooda(7) manpage.

OPTIONS

-b dbname Logs packets to Postgres database dbname. For more information, consult the README.database file in the doc directory of the shoki distribution.

-c max_count
Only read max_count packets.

-C conf_file
Read an alternate config file. By default, /usr/local/shoki/etc/lexer.conf will be used.

-d If specified, dlex will run in the foreground and not fork.

-D chrdir If specified, will do a chroot(2) to chrdir

-E start Only look at packets with timestamps on or before start. A value of seconds after the start of the epoch is assumed.
See also -S .

-f Attempt fragment reassembly.
Consult the README and/or the source for more information about how frag reassembly works.

-h Display a usage message and exit.

-l linktype
The (numeric) linktype to use when compiling BPF filters. Defaults to 1 (DLT_EN10MB).

-L logfile
For filter methods that support logging to a file, output will be sent to logfile. Use `-' (without the quotes) for stdout.

-o Turn off filter rule optimisation. Unless you have very few filter rules you almost certainly want to use optimisation.

-p sample Percentage of packets to use for random sampling.

-P pidfile
Writes PID of the dlex process to pidfile, which cannot be an existing file.

-R Don’t use /dev/urandom to seed srand(3) for random sampling. If you use this option, every set of `random' samples will be the same for any given dump. This is useful primarily for testing and debugging.

-s snaplen
Sets the default snaplen. If not specified, 65535 is assumed.
Individual filter rules can specify a different snaplenfor packets matching that filter.

-S start Only packets with timestamps on or after start will be used. A value of seconds after the start of the epoch is assumed.
See also -E .

-t shoki_type
Set the sensor type. This is just a convienience used for grouping sensor output. The scripts included with shoki (i.e., the collector, importer, and reporter scripts) by default want to group sensors into categories like `internal', `external' and `dmz'.

-U luser If specified, setuid/setgid to specified luser.

-v verbosity
Set the verbosity level to verbosity. Exactly what this entails tends to vary from release to release. In general, you won’t want to specify a verbosity level unless you're doing debugging.

FILES

/usr/local/shoki/etc/dlex.conf dlex config file.

AUTHORS

.An Stephen P. Berry <spb@meshuggeneh.net>
More information can be found at the shoki homepage:

BUGS

Check the README at the top of the source tree.

Manual Reference Pages - DLEX (8)

NAME

CONTENTS

SYNOPSIS

DESCRIPTION

OPTIONS

FILES

AUTHORS

BUGS

SEE ALSO

-b dbname	Logs packets to Postgres database dbname. For more information, consult the README.database file in the doc directory of the shoki distribution.
-c max_count
	Only read max_count packets.
-C conf_file
	Read an alternate config file. By default, `/usr/local/shoki/etc/lexer.conf` will be used.
-d	If specified, dlex will run in the foreground and not fork.
-D chrdir	If specified, will do a chroot(2) to chrdir
-E start	Only look at packets with timestamps on or before start. A value of seconds after the start of the epoch is assumed. See also -S .
-f	Attempt fragment reassembly. Consult the README and/or the source for more information about how frag reassembly works.
-h	Display a usage message and exit.
-l linktype
	The (numeric) linktype to use when compiling BPF filters. Defaults to 1 (DLT_EN10MB).
-L logfile
	For filter methods that support logging to a file, output will be sent to logfile. Use `-' (without the quotes) for stdout.
-o	Turn off filter rule optimisation. Unless you have very few filter rules you almost certainly want to use optimisation.
-p sample	Percentage of packets to use for random sampling.
-P pidfile
	Writes PID of the dlex process to pidfile, which cannot be an existing file.
-R	Don’t use `/dev/urandom to seed` srand(3) for random sampling. If you use this option, every set of `random' samples will be the same for any given dump. This is useful primarily for testing and debugging.
-s snaplen
	Sets the default snaplen. If not specified, 65535 is assumed. Individual filter rules can specify a different snaplenfor packets matching that filter.
-S start	Only packets with timestamps on or after start will be used. A value of seconds after the start of the epoch is assumed. See also -E .
-t shoki_type
	Set the sensor type. This is just a convienience used for grouping sensor output. The scripts included with shoki (i.e., the collector, importer, and reporter scripts) by default want to group sensors into categories like `internal', `external' and `dmz'.
-U luser	If specified, setuid/setgid to specified luser.
-v verbosity
	Set the verbosity level to verbosity. Exactly what this entails tends to vary from release to release. In general, you won’t want to specify a verbosity level unless you're doing debugging.