Why sas das feature in rasqlinsert doesnot work?

Rahimeh Khodadadi rahimeh.khodadadi at gmail.com
Tue Jul 23 10:39:16 EDT 2013 

At first, I appreciate for your time and apologize for bothering you with
my questions. I really need it for my works.
I'm so sorry, but this post for yesterday, not a few weeks ago,
I have red several time the manual of commands, but I think somewhere I
make mistake.

This is peice of my database. The feature is not work

 stime ltime dur srcid flgs proto saddr sport dir daddr dport pkts bytes
state spkts dpkts sbytes dbytes das sas record  1.37E+09 1.37E+09 103.668
0.0.0.0 e sD tcp 192.168.2.159 1066 -> 74.125.143.16 465 23616 12965059 FIN
8022 15594 12026652 938407 0 0 ...  1.37E+09 1.37E+09 71.71558 0.0.0.0 e dS
tcp 74.125.143.16 465 <?> 192.168.2.157 1047 12027 7356979 FIN 7368 4659
442223 6914756 0 0 ...  1.37E+09 1.37E+09 49.26319 0.0.0.0 e dS tcp
74.125.143.16 465 <?> 192.168.2.160 1043 7924 4842419 FIN 4869 3055 292283
4550136 0 0 ...  1.37E+09 1.37E+09 38.95642 0.0.0.0 e dS tcp 74.125.143.16
465 <?> 192.168.2.156 1047 6129 3729166 FIN 3768 2361 226225 3502941 0 0 ...

Again I thanks for your helps, and wish the best for you.



On Tue, Jul 23, 2013 at 6:53 PM, Carter Bullard <carter at qosient.com> wrote:

> I apologize, but why is it that you show up only a few weeks ago, and now
> everything is urgent ?
> This is a developers mailing list, not a " I can't read the manual " list.
>
> Please try to learn how to use the tools before bombarding the list with
> your requests for training.
>
> You did not show what IP addresses have 0 AS numbers, I will presume that
> the feature works.
>
> Carter
>
>
> On Jul 23, 2013, at 10:06 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
> Is there any Idea for solving it???
> I need urgently
>
> Thanks in advance
>
>
> On Tue, Jul 23, 2013 at 5:21 PM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
>> My ralabel.conf file the same below: and I copy it to /etc/ and
>> /usr/local/argus/ directories.
>> The all of Ip address are 0,
>>
>> #
>> #  Argus Client Software
>> #  Copyright (c) 2000-2013 QoSient, LLC
>> #  All rights reserved.
>> #
>> #
>> # RaLabel Configuration
>> #
>> # Carter Bullard
>> # QoSient, LLC
>> #
>> #   This configuration is a ralabel(1) configuration file.
>> #
>> #   The concept is to provide a number of labeling strategies
>> #   with configuration capabilities for each of the labelers.
>> #   This allows the user to specify the order of the labeling,
>> #   which is provided to support hierarchical labeling.
>> #
>> #   Here is a valid and simple configuration file.   It doesn't do
>> #   anything in particular, but it is one that is used at some sites.
>> #
>>
>> # Supported Labeling Strategies
>> # Addresss Based Classification
>> #    Address based classifications involve building a patricia tree
>> #    that we can hang labels against.  The strategy is to order the
>> #    address label configuration files, to develop a hierarchical
>> #    label scheme.
>> #
>>
>> #    IANA IPv4 and IPv6 Address Classification Labeling
>> #
>> #    The type of IP network address can be used by many analysis
>> #    programs to make decisions.  While IANA standard classifications
>> #    don't change, this type of classification should be extendable
>> #    to allow local sites to provide additional labeling capabilities.
>>
>> #RALABEL_IANA_ADDRESS=yes
>> #RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/iana-address-file"
>>
>>
>> # Addresss Based Country Code Classification
>> #    Address based country code classification leverages the feature
>> #    where ra* clients cant print country codes for the IP addresses
>> #    that are in a flow record.  Country codes are generated from the ARIN
>> #    delegated address space files.  Specify the location of your
>> #    DELEGATED_IP file here, or in your .rarc file (which is default).
>> #
>> #    Unlike the GeoIP based country code labeling, these codes can be
>> sorted
>> #    filtered and aggregated, so if you want to do that type of operations
>> #    with country codes, enable this feature here.
>> #
>>
>> #RALABEL_ARIN_COUNTRY_CODES=yes
>> #RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
>>
>>
>> # BIND Based Classification
>> #    BIND services provide address to name translations, and these
>> #    reverse lookup strategies can provide FQDN labels, or domain
>> #    labels that can be added to flow.  The IP addresses that can be
>> #    'labeled' are the saddr, daddr, or inode.  Keywords "yes" and "all"
>> #    are synonomous and result in labeling all three IP addresses.
>> #
>> #    Use this strategy to provide transient semantic enhancement based
>> #    on ip address values.
>> #
>>
>> #RALABEL_BIND_NAME="all"
>>
>> #
>> #    When labelers provide names, they can use blocking or non-blocking
>> #    resolvers to perform the lookups.  Blocking, the default, will cause
>> #    the labeler to wait for resolutions to return. This ensures that the
>> #    label will have the best answer in every flow record process, however
>> #    blocking resolvers can cause performance issues.  Non-blocking will
>> #    queue lookups and establish its name resolution cache, in a lazy
>> #    manner.
>>
>> #RALABEL_BIND_NON_BLOCKING="no""
>>
>> #
>> #    When labelers provide names, they can prit the FQDN, the host portion
>> #    or just the domain name, depending on your uses of the name label.
>> #
>>
>> #RALABEL_PRINT_DOMAINONLY="no"
>> #RALABEL_PRINT_LOCALONLY="no"
>>
>> #
>> #    All name resolutions are cached, to improve performance.  This
>> provides
>> #    the best performance, however, for long lived labeling daemons, a
>> timeout
>> #    or TTL, can be placed on the name table, so that the labeler will
>> #    periodically requery for resolutions.
>> #
>> #    The default is -1, which disables cache timeouts.
>> #    Zero (0) will turn off any caching and will have a performance
>> impact.
>>
>> #RALABEL_DNS_NAME_CACHE_TIMEOUT=-1
>>
>>
>>
>> # Port Based Classification
>> #    Port based classifications involves simple assignment of a text
>> #    label to a specific port number.  While IANA standard classifications
>> #    are supported throught the Unix /etc/services file assignments,
>> #    and the basic "src port" and "dst port" ra* filter schemes,
>> #    this scheme is used to enhance/modify that labeling strategy.
>> #    The text associated with a port number is placed in the metadata
>> #    label field, and is searched using the regular expression searching
>> #    strategies that are available to label matching.
>> #
>> #    Use this strategy to provide transient semantic enhancement based
>> #    on port values.
>> #
>>
>> #RALABEL_IANA_PORT=yes
>> #RALABEL_IANA_PORT_FILE="/usr/local/argus/iana-port-numbers"
>>
>>
>> # Flow Filter Based Classification
>> #    Flow filter based classification uses the standard flow
>> #    filter strategies to provide a general purpose labeling scheme.
>> #    The concept is similar to racluster()'s fall through matching
>> #    scheme.  Fall through the list of filters, if it matches, add the
>> #    label.  If you want to continue through the list, once there is
>> #    a match,  add a "cont" to the end of the matching rule.
>> #
>>
>> RALABEL_ARGUS_FLOW=yes
>> RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/argus-flow-file"
>>
>>
>> # GeoIP Based Labeling
>> #    The labeling features can use the databases provided by MaxMind
>> #    using the GeoIP LGPL libraries.  If your code was configured to use
>> #    these libraries, then enable the features here.
>> #
>> #    GeoIP provides a lot of support for geo-location, configure support
>> #    by enabling a feature and providing the appropriate binary data
>> files.
>> #    ASN reporting is done from a separate set of data files, obtained
>> from
>> #    MaxMind.com, and so enabling this feature is independent of the
>> #    traditional city data available.
>> #
>>
>> RALABEL_GEOIP_ASN=yes
>> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
>> RALABEL_GEOIP_V6_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNumv6.dat"
>>
>> #
>> #    Data for city relevant data is enabled through enabling and
>> configuring
>> #    the city database support.  The types of data available are:
>> #       country_code, country_code3, country_name, region, city,
>> postal_code,
>> #       latitude, longitude, metro_code, area_code and continent_code.
>> #       time_offset is also available.
>> #
>> #    The concept is that you should be able to add semantics for any
>> #    IP address that is in the argus record.  Support addresses are:
>> #
>> #       saddr, daddr, inode
>> #
>> #    The labels provided will be tagged as:
>> #       scity, dcity, icity
>> #
>> #    To configure what you want to have placed in the label, use the list
>> of
>> #    objects, in whatever order you like, as the RALABEL_GEOPIP_CITY
>> string
>> #    using these keywords:
>> #       cco   - country_code
>> #       cco3  - country_code3
>> #       cname - country_name
>> #       reg   - region
>> #       city  - city
>> #       pcode - postal_code
>> #       lat   - latitude
>> #       long  - longitude
>> #       metro - metro_code
>> #       area  - area_code
>> #       cont  - continent_code
>> #       off   - GMT time offset
>> #
>> #    Working examples could be:
>> #       RALABEL_GEOIP_CITY="saddr,daddr:lat/lon"
>> #       RALABEL_GEOIP_CITY="*:city,region,cname,lat,lon"
>> #
>> RALABEL_GEOIP_CITY="saddr,daddr,inode:off,cont,lat,lon"
>> RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIP.dat"
>> RALABEL_GEOIP_V6_CITY_FILE="/usr/local/share/GeoIP/GeoIPv6.dat"
>>
>>
>> On Tue, Jul 23, 2013 at 5:03 PM, Carter Bullard <carter at qosient.com>wrote:
>>
>>> what are the contents of your ralabel.conf file, and what addresses are
>>> reporting 0?
>>> simply stating that something is not working is very impolite.
>>>
>>> Carter
>>>
>>> On Jul 23, 2013, at 8:28 AM, Rahimeh Khodadadi <
>>> rahimeh.khodadadi at gmail.com> wrote:
>>>
>>> I solve the problem by this command, but still the value of  sas, dasare
>>> zero?????
>>>
>>> argus -r pcaped.pcap  -F /dev/null  -w - | ralabel -f ralabel.conf -r -
>>> -w - -s  +sas +das | rasqlinsert -r - -w mysql://root@localhost/argus/a
>>> -s  stime ltime dur srcid flgs proto saddr sport dir daddr dport pkts
>>> bytes  state spkts dpkts sbytes dbytes  das sas
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Jul 23, 2013 at 10:59 AM, Mike Iglesias <iglesias at uci.edu>wrote:
>>>
>>>> On 07/22/2013 10:54 PM, Rahimeh Khodadadi wrote:
>>>> > Thank you very much indeed Matt, but when I run the command gives
>>>> such a erorr:
>>>>
>>>> If you're not using the latest code that Carter put up today, try that
>>>> and see
>>>> if it fixes this error.  http://qosient.com/argus/dev/
>>>>
>>>>
>>>> --
>>>> Mike Iglesias                          Email:       iglesias at uci.edu
>>>> University of California, Irvine       phone:       949-824-6926
>>>> Office of Information Technology       FAX:         949-824-2270
>>>>
>>>>
>>>
>>>
>>> --
>>> With Best Regards
>>> Rahimeh Khodadadi
>>>
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>
>


-- 
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130723/e976b120/attachment.html>

More information about the argus mailing list