Why sas das feature in rasqlinsert doesnot work?
Carter Bullard
carter at qosient.com
Tue Jul 23 10:48:47 EDT 2013
Please. Use the available tools to demonstrate to yourself that you can generate useful data.
Then use programs like rasqlinsert() to push the data into a database table.
argus -r packet.data -w argus.data
now you can use the tools to educate yourself on how the tools work.
ralabel -f ralabel.conf -r argus.data -s stime dur saddr sas daddr das
Set one method in ralabel() at a time, until you understand how the tools work.
Your ralabel.conf file references the file /usr/local/share/GeoIP/GeoIPASNum.dat.
Does it exist ?
What do your labels look like?
ralabel -f ralabel.conf -r argus.data -s stime dur saddr daddr label:64
Carter
On Jul 23, 2013, at 10:39 AM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:
> At first, I appreciate for your time and apologize for bothering you with my questions. I really need it for my works.
> I'm so sorry, but this post for yesterday, not a few weeks ago,
> I have red several time the manual of commands, but I think somewhere I make mistake.
>
> This is peice of my database. The feature is not work
>
> stime ltime dur srcid flgs proto saddr sport dir daddr dport pkts bytes state spkts dpkts sbytes dbytes das sas record
> 1.37E+09 1.37E+09 103.668 0.0.0.0 e sD tcp 192.168.2.159 1066 -> 74.125.143.16 465 23616 12965059 FIN 8022 15594 12026652 938407 0 0 ...
> 1.37E+09 1.37E+09 71.71558 0.0.0.0 e dS tcp 74.125.143.16 465 <?> 192.168.2.157 1047 12027 7356979 FIN 7368 4659 442223 6914756 0 0 ...
> 1.37E+09 1.37E+09 49.26319 0.0.0.0 e dS tcp 74.125.143.16 465 <?> 192.168.2.160 1043 7924 4842419 FIN 4869 3055 292283 4550136 0 0 ...
> 1.37E+09 1.37E+09 38.95642 0.0.0.0 e dS tcp 74.125.143.16 465 <?> 192.168.2.156 1047 6129 3729166 FIN 3768 2361 226225 3502941 0 0 ...
>
> Again I thanks for your helps, and wish the best for you.
>
>
>
> On Tue, Jul 23, 2013 at 6:53 PM, Carter Bullard <carter at qosient.com> wrote:
> I apologize, but why is it that you show up only a few weeks ago, and now everything is urgent ?
> This is a developers mailing list, not a " I can't read the manual " list.
>
> Please try to learn how to use the tools before bombarding the list with your requests for training.
>
> You did not show what IP addresses have 0 AS numbers, I will presume that the feature works.
>
> Carter
>
>
> On Jul 23, 2013, at 10:06 AM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:
>
>> Is there any Idea for solving it???
>> I need urgently
>>
>> Thanks in advance
>>
>>
>> On Tue, Jul 23, 2013 at 5:21 PM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:
>> My ralabel.conf file the same below: and I copy it to /etc/ and /usr/local/argus/ directories.
>> The all of Ip address are 0,
>>
>> #
>> # Argus Client Software
>> # Copyright (c) 2000-2013 QoSient, LLC
>> # All rights reserved.
>> #
>> #
>> # RaLabel Configuration
>> #
>> # Carter Bullard
>> # QoSient, LLC
>> #
>> # This configuration is a ralabel(1) configuration file.
>> #
>> # The concept is to provide a number of labeling strategies
>> # with configuration capabilities for each of the labelers.
>> # This allows the user to specify the order of the labeling,
>> # which is provided to support hierarchical labeling.
>> #
>> # Here is a valid and simple configuration file. It doesn't do
>> # anything in particular, but it is one that is used at some sites.
>> #
>>
>> # Supported Labeling Strategies
>> # Addresss Based Classification
>> # Address based classifications involve building a patricia tree
>> # that we can hang labels against. The strategy is to order the
>> # address label configuration files, to develop a hierarchical
>> # label scheme.
>> #
>>
>> # IANA IPv4 and IPv6 Address Classification Labeling
>> #
>> # The type of IP network address can be used by many analysis
>> # programs to make decisions. While IANA standard classifications
>> # don't change, this type of classification should be extendable
>> # to allow local sites to provide additional labeling capabilities.
>>
>> #RALABEL_IANA_ADDRESS=yes
>> #RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/iana-address-file"
>>
>>
>> # Addresss Based Country Code Classification
>> # Address based country code classification leverages the feature
>> # where ra* clients cant print country codes for the IP addresses
>> # that are in a flow record. Country codes are generated from the ARIN
>> # delegated address space files. Specify the location of your
>> # DELEGATED_IP file here, or in your .rarc file (which is default).
>> #
>> # Unlike the GeoIP based country code labeling, these codes can be sorted
>> # filtered and aggregated, so if you want to do that type of operations
>> # with country codes, enable this feature here.
>> #
>>
>> #RALABEL_ARIN_COUNTRY_CODES=yes
>> #RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
>>
>>
>> # BIND Based Classification
>> # BIND services provide address to name translations, and these
>> # reverse lookup strategies can provide FQDN labels, or domain
>> # labels that can be added to flow. The IP addresses that can be
>> # 'labeled' are the saddr, daddr, or inode. Keywords "yes" and "all"
>> # are synonomous and result in labeling all three IP addresses.
>> #
>> # Use this strategy to provide transient semantic enhancement based
>> # on ip address values.
>> #
>>
>> #RALABEL_BIND_NAME="all"
>>
>> #
>> # When labelers provide names, they can use blocking or non-blocking
>> # resolvers to perform the lookups. Blocking, the default, will cause
>> # the labeler to wait for resolutions to return. This ensures that the
>> # label will have the best answer in every flow record process, however
>> # blocking resolvers can cause performance issues. Non-blocking will
>> # queue lookups and establish its name resolution cache, in a lazy
>> # manner.
>>
>> #RALABEL_BIND_NON_BLOCKING="no""
>>
>> #
>> # When labelers provide names, they can prit the FQDN, the host portion
>> # or just the domain name, depending on your uses of the name label.
>> #
>>
>> #RALABEL_PRINT_DOMAINONLY="no"
>> #RALABEL_PRINT_LOCALONLY="no"
>>
>> #
>> # All name resolutions are cached, to improve performance. This provides
>> # the best performance, however, for long lived labeling daemons, a timeout
>> # or TTL, can be placed on the name table, so that the labeler will
>> # periodically requery for resolutions.
>> #
>> # The default is -1, which disables cache timeouts.
>> # Zero (0) will turn off any caching and will have a performance impact.
>>
>> #RALABEL_DNS_NAME_CACHE_TIMEOUT=-1
>>
>>
>>
>> # Port Based Classification
>> # Port based classifications involves simple assignment of a text
>> # label to a specific port number. While IANA standard classifications
>> # are supported throught the Unix /etc/services file assignments,
>> # and the basic "src port" and "dst port" ra* filter schemes,
>> # this scheme is used to enhance/modify that labeling strategy.
>> # The text associated with a port number is placed in the metadata
>> # label field, and is searched using the regular expression searching
>> # strategies that are available to label matching.
>> #
>> # Use this strategy to provide transient semantic enhancement based
>> # on port values.
>> #
>>
>> #RALABEL_IANA_PORT=yes
>> #RALABEL_IANA_PORT_FILE="/usr/local/argus/iana-port-numbers"
>>
>>
>> # Flow Filter Based Classification
>> # Flow filter based classification uses the standard flow
>> # filter strategies to provide a general purpose labeling scheme.
>> # The concept is similar to racluster()'s fall through matching
>> # scheme. Fall through the list of filters, if it matches, add the
>> # label. If you want to continue through the list, once there is
>> # a match, add a "cont" to the end of the matching rule.
>> #
>>
>> RALABEL_ARGUS_FLOW=yes
>> RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/argus-flow-file"
>>
>>
>> # GeoIP Based Labeling
>> # The labeling features can use the databases provided by MaxMind
>> # using the GeoIP LGPL libraries. If your code was configured to use
>> # these libraries, then enable the features here.
>> #
>> # GeoIP provides a lot of support for geo-location, configure support
>> # by enabling a feature and providing the appropriate binary data files.
>> # ASN reporting is done from a separate set of data files, obtained from
>> # MaxMind.com, and so enabling this feature is independent of the
>> # traditional city data available.
>> #
>>
>> RALABEL_GEOIP_ASN=yes
>> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
>> RALABEL_GEOIP_V6_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNumv6.dat"
>>
>> #
>> # Data for city relevant data is enabled through enabling and configuring
>> # the city database support. The types of data available are:
>> # country_code, country_code3, country_name, region, city, postal_code,
>> # latitude, longitude, metro_code, area_code and continent_code.
>> # time_offset is also available.
>> #
>> # The concept is that you should be able to add semantics for any
>> # IP address that is in the argus record. Support addresses are:
>> #
>> # saddr, daddr, inode
>> #
>> # The labels provided will be tagged as:
>> # scity, dcity, icity
>> #
>> # To configure what you want to have placed in the label, use the list of
>> # objects, in whatever order you like, as the RALABEL_GEOPIP_CITY string
>> # using these keywords:
>> # cco - country_code
>> # cco3 - country_code3
>> # cname - country_name
>> # reg - region
>> # city - city
>> # pcode - postal_code
>> # lat - latitude
>> # long - longitude
>> # metro - metro_code
>> # area - area_code
>> # cont - continent_code
>> # off - GMT time offset
>> #
>> # Working examples could be:
>> # RALABEL_GEOIP_CITY="saddr,daddr:lat/lon"
>> # RALABEL_GEOIP_CITY="*:city,region,cname,lat,lon"
>> #
>> RALABEL_GEOIP_CITY="saddr,daddr,inode:off,cont,lat,lon"
>> RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIP.dat"
>> RALABEL_GEOIP_V6_CITY_FILE="/usr/local/share/GeoIP/GeoIPv6.dat"
>>
>>
>> On Tue, Jul 23, 2013 at 5:03 PM, Carter Bullard <carter at qosient.com> wrote:
>> what are the contents of your ralabel.conf file, and what addresses are reporting 0?
>> simply stating that something is not working is very impolite.
>>
>> Carter
>>
>> On Jul 23, 2013, at 8:28 AM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:
>>
>>> I solve the problem by this command, but still the value of sas, dasare zero?????
>>>
>>> argus -r pcaped.pcap -F /dev/null -w - | ralabel -f ralabel.conf -r - -w - -s +sas +das | rasqlinsert -r - -w mysql://root@localhost/argus/a -s stime ltime dur srcid flgs proto saddr sport dir daddr dport pkts bytes state spkts dpkts sbytes dbytes das sas
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Jul 23, 2013 at 10:59 AM, Mike Iglesias <iglesias at uci.edu> wrote:
>>> On 07/22/2013 10:54 PM, Rahimeh Khodadadi wrote:
>>> > Thank you very much indeed Matt, but when I run the command gives such a erorr:
>>>
>>> If you're not using the latest code that Carter put up today, try that and see
>>> if it fixes this error. http://qosient.com/argus/dev/
>>>
>>>
>>> --
>>> Mike Iglesias Email: iglesias at uci.edu
>>> University of California, Irvine phone: 949-824-6926
>>> Office of Information Technology FAX: 949-824-2270
>>>
>>>
>>>
>>>
>>> --
>>> With Best Regards
>>> Rahimeh Khodadadi
>>>
>>
>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>
>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130723/e3cd92b9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130723/e3cd92b9/attachment.bin>
More information about the argus
mailing list