rasqlinsert

Carter Bullard carter at qosient.com
Fri Jun 1 10:12:40 EDT 2012 

Hey CS Lee,
So, this would be a bug.  rasql() reads the argus record that is stored in the
data base, which is good data, but looks like the strings to print out the saddr
and daddr attributes for the database table are messed up.

Because the argus data is good, recovering the database should be easy.

   rasql -r mysql://localhost/argusdb/argus_table -w argus.data
   rasqlinsert -r argus.data -w mysql://localhost/testdb/argus_table -s srcid saddr sport daddr dport proto

How are you calling rasqlinsert, and what are the print fields in your .rarc ?

Carter

On Jun 1, 2012, at 6:04 AM, CS Lee wrote:

> hi Carter,
> 
> I use rasqlinsert to insert the data into mysql database, however when I check, it seems I have this issue -
> 
> mysql> select saddr,sport,daddr,dport from tbl_argus where proto='tcp' limit 10;
> +-------------+-------+-------------+-------+
> | saddr       | sport | daddr       | dport |
> +-------------+-------+-------------+-------+
> | %T.0.000000 | 1034  | %T.0.000000 | 64985 |
> | %T.0.000000 | 1070  | %T.0.000000 | 59292 |
> | %T.0.000000 | 1072  | %T.0.000000 | 46579 |
> | %T.0.000000 | 1084  | %T.0.000000 | 10942 |
> | %T.0.000000 | 10864 | %T.0.000000 | 80    |
> | %T.0.000000 | 1104  | %T.0.000000 | 445   |
> | %T.0.000000 | 1110  | %T.0.000000 | 51413 |
> | %T.0.000000 | 11104 | %T.0.000000 | 80    |
> | %T.0.000000 | 11105 | %T.0.000000 | 80    |
> | %T.0.000000 | 11106 | %T.0.000000 | 80    |
> +-------------+-------+-------------+-------+
> 10 rows in set (0.00 sec)
> 
> It was alright with older version of rasqlinsert last time, this is really odd. And when using rasql it retrieves the data correctly -
> 
> rasql -r mysql://localhost/argusdb/argus_table -s saddr daddr
> 1.2.3.4 2.3.4.5
> 1.2.3.4 5.6.7.8
> 
> Maybe some conversion is done in between? I really need the data to be understand by mysql command so that can perform analysis using mysql query and reporting.
> 
> Cheers!
> 
> -- 
> Best Regards,
> 
> CS Lee<geek00L[at]gmail.com>
> 
> http://geek00l.blogspot.com
> http://defcraft.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120601/1c209c81/attachment.html>

More information about the argus mailing list