Why sas das feature in rasqlinsert doesnot work?

Rahimeh Khodadadi rahimeh.khodadadi at gmail.com
Tue Jul 23 08:51:39 EDT 2013 

My ralabel.conf file the same below: and I copy it to /etc/ and
/usr/local/argus/ directories.
The all of Ip address are 0,

#
#  Argus Client Software
#  Copyright (c) 2000-2013 QoSient, LLC
#  All rights reserved.
#
#
# RaLabel Configuration
#
# Carter Bullard
# QoSient, LLC
#
#   This configuration is a ralabel(1) configuration file.
#
#   The concept is to provide a number of labeling strategies
#   with configuration capabilities for each of the labelers.
#   This allows the user to specify the order of the labeling,
#   which is provided to support hierarchical labeling.
#
#   Here is a valid and simple configuration file.   It doesn't do
#   anything in particular, but it is one that is used at some sites.
#

# Supported Labeling Strategies
# Addresss Based Classification
#    Address based classifications involve building a patricia tree
#    that we can hang labels against.  The strategy is to order the
#    address label configuration files, to develop a hierarchical
#    label scheme.
#

#    IANA IPv4 and IPv6 Address Classification Labeling
#
#    The type of IP network address can be used by many analysis
#    programs to make decisions.  While IANA standard classifications
#    don't change, this type of classification should be extendable
#    to allow local sites to provide additional labeling capabilities.

#RALABEL_IANA_ADDRESS=yes
#RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/iana-address-file"


# Addresss Based Country Code Classification
#    Address based country code classification leverages the feature
#    where ra* clients cant print country codes for the IP addresses
#    that are in a flow record.  Country codes are generated from the ARIN
#    delegated address space files.  Specify the location of your
#    DELEGATED_IP file here, or in your .rarc file (which is default).
#
#    Unlike the GeoIP based country code labeling, these codes can be sorted
#    filtered and aggregated, so if you want to do that type of operations
#    with country codes, enable this feature here.
#

#RALABEL_ARIN_COUNTRY_CODES=yes
#RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"


# BIND Based Classification
#    BIND services provide address to name translations, and these
#    reverse lookup strategies can provide FQDN labels, or domain
#    labels that can be added to flow.  The IP addresses that can be
#    'labeled' are the saddr, daddr, or inode.  Keywords "yes" and "all"
#    are synonomous and result in labeling all three IP addresses.
#
#    Use this strategy to provide transient semantic enhancement based
#    on ip address values.
#

#RALABEL_BIND_NAME="all"

#
#    When labelers provide names, they can use blocking or non-blocking
#    resolvers to perform the lookups.  Blocking, the default, will cause
#    the labeler to wait for resolutions to return. This ensures that the
#    label will have the best answer in every flow record process, however
#    blocking resolvers can cause performance issues.  Non-blocking will
#    queue lookups and establish its name resolution cache, in a lazy
#    manner.

#RALABEL_BIND_NON_BLOCKING="no""

#
#    When labelers provide names, they can prit the FQDN, the host portion
#    or just the domain name, depending on your uses of the name label.
#

#RALABEL_PRINT_DOMAINONLY="no"
#RALABEL_PRINT_LOCALONLY="no"

#
#    All name resolutions are cached, to improve performance.  This provides
#    the best performance, however, for long lived labeling daemons, a
timeout
#    or TTL, can be placed on the name table, so that the labeler will
#    periodically requery for resolutions.
#
#    The default is -1, which disables cache timeouts.
#    Zero (0) will turn off any caching and will have a performance impact.

#RALABEL_DNS_NAME_CACHE_TIMEOUT=-1



# Port Based Classification
#    Port based classifications involves simple assignment of a text
#    label to a specific port number.  While IANA standard classifications
#    are supported throught the Unix /etc/services file assignments,
#    and the basic "src port" and "dst port" ra* filter schemes,
#    this scheme is used to enhance/modify that labeling strategy.
#    The text associated with a port number is placed in the metadata
#    label field, and is searched using the regular expression searching
#    strategies that are available to label matching.
#
#    Use this strategy to provide transient semantic enhancement based
#    on port values.
#

#RALABEL_IANA_PORT=yes
#RALABEL_IANA_PORT_FILE="/usr/local/argus/iana-port-numbers"


# Flow Filter Based Classification
#    Flow filter based classification uses the standard flow
#    filter strategies to provide a general purpose labeling scheme.
#    The concept is similar to racluster()'s fall through matching
#    scheme.  Fall through the list of filters, if it matches, add the
#    label.  If you want to continue through the list, once there is
#    a match,  add a "cont" to the end of the matching rule.
#

RALABEL_ARGUS_FLOW=yes
RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/argus-flow-file"


# GeoIP Based Labeling
#    The labeling features can use the databases provided by MaxMind
#    using the GeoIP LGPL libraries.  If your code was configured to use
#    these libraries, then enable the features here.
#
#    GeoIP provides a lot of support for geo-location, configure support
#    by enabling a feature and providing the appropriate binary data files.
#    ASN reporting is done from a separate set of data files, obtained from
#    MaxMind.com, and so enabling this feature is independent of the
#    traditional city data available.
#

RALABEL_GEOIP_ASN=yes
RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
RALABEL_GEOIP_V6_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNumv6.dat"

#
#    Data for city relevant data is enabled through enabling and configuring
#    the city database support.  The types of data available are:
#       country_code, country_code3, country_name, region, city,
postal_code,
#       latitude, longitude, metro_code, area_code and continent_code.
#       time_offset is also available.
#
#    The concept is that you should be able to add semantics for any
#    IP address that is in the argus record.  Support addresses are:
#
#       saddr, daddr, inode
#
#    The labels provided will be tagged as:
#       scity, dcity, icity
#
#    To configure what you want to have placed in the label, use the list of
#    objects, in whatever order you like, as the RALABEL_GEOPIP_CITY string
#    using these keywords:
#       cco   - country_code
#       cco3  - country_code3
#       cname - country_name
#       reg   - region
#       city  - city
#       pcode - postal_code
#       lat   - latitude
#       long  - longitude
#       metro - metro_code
#       area  - area_code
#       cont  - continent_code
#       off   - GMT time offset
#
#    Working examples could be:
#       RALABEL_GEOIP_CITY="saddr,daddr:lat/lon"
#       RALABEL_GEOIP_CITY="*:city,region,cname,lat,lon"
#
RALABEL_GEOIP_CITY="saddr,daddr,inode:off,cont,lat,lon"
RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIP.dat"
RALABEL_GEOIP_V6_CITY_FILE="/usr/local/share/GeoIP/GeoIPv6.dat"


On Tue, Jul 23, 2013 at 5:03 PM, Carter Bullard <carter at qosient.com> wrote:

> what are the contents of your ralabel.conf file, and what addresses are
> reporting 0?
> simply stating that something is not working is very impolite.
>
> Carter
>
> On Jul 23, 2013, at 8:28 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
> I solve the problem by this command, but still the value of  sas, dasare
> zero?????
>
> argus -r pcaped.pcap  -F /dev/null  -w - | ralabel -f ralabel.conf -r - -w
> - -s  +sas +das | rasqlinsert -r - -w mysql://root@localhost/argus/a  -s
> stime ltime dur srcid flgs proto saddr sport dir daddr dport pkts bytes
> state spkts dpkts sbytes dbytes  das sas
>
>
>
>
>
> On Tue, Jul 23, 2013 at 10:59 AM, Mike Iglesias <iglesias at uci.edu> wrote:
>
>> On 07/22/2013 10:54 PM, Rahimeh Khodadadi wrote:
>> > Thank you very much indeed Matt, but when I run the command gives such
>> a erorr:
>>
>> If you're not using the latest code that Carter put up today, try that
>> and see
>> if it fixes this error.  http://qosient.com/argus/dev/
>>
>>
>> --
>> Mike Iglesias                          Email:       iglesias at uci.edu
>> University of California, Irvine       phone:       949-824-6926
>> Office of Information Technology       FAX:         949-824-2270
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>
>


-- 
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130723/a74af956/attachment.html>

More information about the argus mailing list