Why sas das feature in rasqlinsert doesnot work?

Rahimeh Khodadadi rahimeh.khodadadi at gmail.com
Tue Jul 23 10:06:10 EDT 2013 

Is there any Idea for solving it???
I need urgently

Thanks in advance


On Tue, Jul 23, 2013 at 5:21 PM, Rahimeh Khodadadi <
rahimeh.khodadadi at gmail.com> wrote:

> My ralabel.conf file the same below: and I copy it to /etc/ and
> /usr/local/argus/ directories.
> The all of Ip address are 0,
>
> #
> #  Argus Client Software
> #  Copyright (c) 2000-2013 QoSient, LLC
> #  All rights reserved.
> #
> #
> # RaLabel Configuration
> #
> # Carter Bullard
> # QoSient, LLC
> #
> #   This configuration is a ralabel(1) configuration file.
> #
> #   The concept is to provide a number of labeling strategies
> #   with configuration capabilities for each of the labelers.
> #   This allows the user to specify the order of the labeling,
> #   which is provided to support hierarchical labeling.
> #
> #   Here is a valid and simple configuration file.   It doesn't do
> #   anything in particular, but it is one that is used at some sites.
> #
>
> # Supported Labeling Strategies
> # Addresss Based Classification
> #    Address based classifications involve building a patricia tree
> #    that we can hang labels against.  The strategy is to order the
> #    address label configuration files, to develop a hierarchical
> #    label scheme.
> #
>
> #    IANA IPv4 and IPv6 Address Classification Labeling
> #
> #    The type of IP network address can be used by many analysis
> #    programs to make decisions.  While IANA standard classifications
> #    don't change, this type of classification should be extendable
> #    to allow local sites to provide additional labeling capabilities.
>
> #RALABEL_IANA_ADDRESS=yes
> #RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/iana-address-file"
>
>
> # Addresss Based Country Code Classification
> #    Address based country code classification leverages the feature
> #    where ra* clients cant print country codes for the IP addresses
> #    that are in a flow record.  Country codes are generated from the ARIN
> #    delegated address space files.  Specify the location of your
> #    DELEGATED_IP file here, or in your .rarc file (which is default).
> #
> #    Unlike the GeoIP based country code labeling, these codes can be
> sorted
> #    filtered and aggregated, so if you want to do that type of operations
> #    with country codes, enable this feature here.
> #
>
> #RALABEL_ARIN_COUNTRY_CODES=yes
> #RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
>
>
> # BIND Based Classification
> #    BIND services provide address to name translations, and these
> #    reverse lookup strategies can provide FQDN labels, or domain
> #    labels that can be added to flow.  The IP addresses that can be
> #    'labeled' are the saddr, daddr, or inode.  Keywords "yes" and "all"
> #    are synonomous and result in labeling all three IP addresses.
> #
> #    Use this strategy to provide transient semantic enhancement based
> #    on ip address values.
> #
>
> #RALABEL_BIND_NAME="all"
>
> #
> #    When labelers provide names, they can use blocking or non-blocking
> #    resolvers to perform the lookups.  Blocking, the default, will cause
> #    the labeler to wait for resolutions to return. This ensures that the
> #    label will have the best answer in every flow record process, however
> #    blocking resolvers can cause performance issues.  Non-blocking will
> #    queue lookups and establish its name resolution cache, in a lazy
> #    manner.
>
> #RALABEL_BIND_NON_BLOCKING="no""
>
> #
> #    When labelers provide names, they can prit the FQDN, the host portion
> #    or just the domain name, depending on your uses of the name label.
> #
>
> #RALABEL_PRINT_DOMAINONLY="no"
> #RALABEL_PRINT_LOCALONLY="no"
>
> #
> #    All name resolutions are cached, to improve performance.  This
> provides
> #    the best performance, however, for long lived labeling daemons, a
> timeout
> #    or TTL, can be placed on the name table, so that the labeler will
> #    periodically requery for resolutions.
> #
> #    The default is -1, which disables cache timeouts.
> #    Zero (0) will turn off any caching and will have a performance impact.
>
> #RALABEL_DNS_NAME_CACHE_TIMEOUT=-1
>
>
>
> # Port Based Classification
> #    Port based classifications involves simple assignment of a text
> #    label to a specific port number.  While IANA standard classifications
> #    are supported throught the Unix /etc/services file assignments,
> #    and the basic "src port" and "dst port" ra* filter schemes,
> #    this scheme is used to enhance/modify that labeling strategy.
> #    The text associated with a port number is placed in the metadata
> #    label field, and is searched using the regular expression searching
> #    strategies that are available to label matching.
> #
> #    Use this strategy to provide transient semantic enhancement based
> #    on port values.
> #
>
> #RALABEL_IANA_PORT=yes
> #RALABEL_IANA_PORT_FILE="/usr/local/argus/iana-port-numbers"
>
>
> # Flow Filter Based Classification
> #    Flow filter based classification uses the standard flow
> #    filter strategies to provide a general purpose labeling scheme.
> #    The concept is similar to racluster()'s fall through matching
> #    scheme.  Fall through the list of filters, if it matches, add the
> #    label.  If you want to continue through the list, once there is
> #    a match,  add a "cont" to the end of the matching rule.
> #
>
> RALABEL_ARGUS_FLOW=yes
> RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/argus-flow-file"
>
>
> # GeoIP Based Labeling
> #    The labeling features can use the databases provided by MaxMind
> #    using the GeoIP LGPL libraries.  If your code was configured to use
> #    these libraries, then enable the features here.
> #
> #    GeoIP provides a lot of support for geo-location, configure support
> #    by enabling a feature and providing the appropriate binary data files.
> #    ASN reporting is done from a separate set of data files, obtained from
> #    MaxMind.com, and so enabling this feature is independent of the
> #    traditional city data available.
> #
>
> RALABEL_GEOIP_ASN=yes
> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
> RALABEL_GEOIP_V6_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNumv6.dat"
>
> #
> #    Data for city relevant data is enabled through enabling and
> configuring
> #    the city database support.  The types of data available are:
> #       country_code, country_code3, country_name, region, city,
> postal_code,
> #       latitude, longitude, metro_code, area_code and continent_code.
> #       time_offset is also available.
> #
> #    The concept is that you should be able to add semantics for any
> #    IP address that is in the argus record.  Support addresses are:
> #
> #       saddr, daddr, inode
> #
> #    The labels provided will be tagged as:
> #       scity, dcity, icity
> #
> #    To configure what you want to have placed in the label, use the list
> of
> #    objects, in whatever order you like, as the RALABEL_GEOPIP_CITY string
> #    using these keywords:
> #       cco   - country_code
> #       cco3  - country_code3
> #       cname - country_name
> #       reg   - region
> #       city  - city
> #       pcode - postal_code
> #       lat   - latitude
> #       long  - longitude
> #       metro - metro_code
> #       area  - area_code
> #       cont  - continent_code
> #       off   - GMT time offset
> #
> #    Working examples could be:
> #       RALABEL_GEOIP_CITY="saddr,daddr:lat/lon"
> #       RALABEL_GEOIP_CITY="*:city,region,cname,lat,lon"
> #
> RALABEL_GEOIP_CITY="saddr,daddr,inode:off,cont,lat,lon"
> RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIP.dat"
> RALABEL_GEOIP_V6_CITY_FILE="/usr/local/share/GeoIP/GeoIPv6.dat"
>
>
> On Tue, Jul 23, 2013 at 5:03 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> what are the contents of your ralabel.conf file, and what addresses are
>> reporting 0?
>> simply stating that something is not working is very impolite.
>>
>> Carter
>>
>> On Jul 23, 2013, at 8:28 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com> wrote:
>>
>> I solve the problem by this command, but still the value of  sas, dasare
>> zero?????
>>
>> argus -r pcaped.pcap  -F /dev/null  -w - | ralabel -f ralabel.conf -r -
>> -w - -s  +sas +das | rasqlinsert -r - -w mysql://root@localhost/argus/a
>> -s  stime ltime dur srcid flgs proto saddr sport dir daddr dport pkts
>> bytes  state spkts dpkts sbytes dbytes  das sas
>>
>>
>>
>>
>>
>> On Tue, Jul 23, 2013 at 10:59 AM, Mike Iglesias <iglesias at uci.edu> wrote:
>>
>>> On 07/22/2013 10:54 PM, Rahimeh Khodadadi wrote:
>>> > Thank you very much indeed Matt, but when I run the command gives such
>>> a erorr:
>>>
>>> If you're not using the latest code that Carter put up today, try that
>>> and see
>>> if it fixes this error.  http://qosient.com/argus/dev/
>>>
>>>
>>> --
>>> Mike Iglesias                          Email:       iglesias at uci.edu
>>> University of California, Irvine       phone:       949-824-6926
>>> Office of Information Technology       FAX:         949-824-2270
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>


-- 
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130723/0f09ab09/attachment.html>

More information about the argus mailing list