Inserting AS Number and Label To DB

CS Lee geek00l at gmail.com
Sun Sep 13 11:21:23 EDT 2009 

hi Carter,

>From my previous example, ralabel is working alright as you can see it shows
the right sas and das -

           SrcAddr            DstAddr   sAS   dAS
     114.47.198.87      192.168.1.153  3462
    218.175.209.38      192.168.1.153  3462
     202.76.223.75      192.168.1.153  2516
   218.173.107.206      192.168.1.153  3462
     192.168.1.153       75.30.77.120        7132
     192.168.1.153        58.3.27.159        7679

The only problem is when inserting into DB with rasqlinsert, it is incorrect
and it has 0-255, that looks to be the problem with the sas/das variable
type -

echo 'desc ralabel' | mysql -u root argusdb
Field    Type    Null    Key    Default    Extra
stime    double(18,6) unsigned    NO        NULL
flgs    varchar(32)    YES        NULL
proto    varchar(16)    NO        NULL
saddr    varchar(64)    NO        NULL
sport    varchar(10)    NO        NULL
dir    varchar(3)    YES        NULL
daddr    varchar(64)    NO        NULL
dport    varchar(10)    NO        NULL
pkts    bigint(20)    YES        NULL
bytes    bigint(20)    YES        NULL
state    varchar(32)    YES        NULL
*sas    tinyint(3) unsigned    YES        NULL
das    tinyint(3) unsigned    YES        NULL    *
label    varchar(4098)    YES        NULL
record    blob    YES        NULL

Since it is tinyint and unsigned, it can store 0-255 because it is 1 byte
only, while the asn is 16/32 bits so it is larger than that.

Thanks!

On Sun, Sep 13, 2009 at 9:19 PM, Carter Bullard <carter at qosient.com> wrote:

> All of that is controlled by your ralabel.conf file.What does that look
> like?
> Carter
>
> On Sep 13, 2009, at 1:36 AM, CS Lee wrote:
>
> hi Carter,
>
> I try this out and ralabel seems to work correctly -
>
> ralabel -S localhost -f ralabel.conf -L0 -s saddr daddr sas das label:64
>            SrcAddr            DstAddr   sAS
> dAS                                                            Label
>      192.168.1.153       218.88.17.13        4134
> dcity=Chengdu,32,China,30.666700,104.066597
>       210.24.205.7      192.168.1.153  4628
> scity=Singapore,00,Singapore,1.293100,103.855797
>      192.168.1.153    218.163.175.176        3462
> dcity=Taipei,03,Taiwan,25.039200,121.525002
>      192.168.1.153    202.103.208.247        4134
> dcity=Nanning,16,China,22.816700,108.316597
>      192.168.1.153     219.139.201.80        4134
> dcity=Wuhan,12,China,30.583300,114.266701
>      192.168.1.153     220.253.11.150        4854
> dcity=Melbourne,07,Australia,-37.816700,144.966705
>
> Then I would like to insert AS Number and Label to the db with -
>
> ralabel -S localhost -f ralabel.conf -w - | rasqlinsert -r - -w
> mysql://root@localhost/argusdb/ralabel -m none -s +sas +das +label
>
> While the label is inserted correctly, the AS Number seems to be wrong, I
> would really like the asn data to be in the database -
>
> SELECT saddr, daddr, sas, das, label FROM ralabel limit 10;
>
> +-----------------+----------------+------+------+--------------------------------------------------------+
> | saddr           | daddr          | sas  | das  |
> label                                                  |
>
> +-----------------+----------------+------+------+--------------------------------------------------------+
> | 192.168.1.153   | 60.62.64.144   |    0 |  255 |
> dcity=Yokosuka,19,Japan,35.283600,139.667206           |
> | 174.129.205.216 | 192.168.1.193  |  255 |    0 | scity=Seattle,WA,United
> States,47.583900,-122.299500   |
> | 192.168.1.153   | 61.227.165.38  |    0 |  255 |
> dcity=Taipei,03,Taiwan,25.039200,121.525002            |
> | 192.168.1.153   | 60.48.182.58   |    0 |  255 | dcity=Kuala
> Lumpur,14,Malaysia,3.166700,101.699997     |
> | 192.168.1.153   | 219.81.178.102 |    0 |  255 |
> dcity=Taipei,03,Taiwan,25.039200,121.525002            |
> | 192.168.1.153   | 60.62.64.144   |    0 |  255 |
> dcity=Yokosuka,19,Japan,35.283600,139.667206           |
> | 59.175.114.187  | 192.168.1.153  |  255 |    0 |
> scity=Wuhan,12,China,30.583300,114.266701              |
> | 192.168.1.153   | 207.188.65.224 |    0 |  255 |
> dcity=Toronto,ON,Canada,43.666698,-79.416801           |
> | 192.168.1.193   | 69.63.178.18   |    0 |  255 | dcity=Palo
> Alto,CA,United States,37.442902,-122.151398 |
> | 192.168.1.153   | 60.48.182.58   |    0 |  255 | dcity=Kuala
> Lumpur,14,Malaysia,3.166700,101.699997     |
>
> +-----------------+----------------+------+------+--------------------------------------------------------+
> 10 rows in set (0.00 sec)
>
> Apparently the sas and das don't seem to be right.
>
> Thanks!
>
> C.S.Lee
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
>


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090913/ecfdef87/attachment.html>

More information about the argus mailing list