Why sas das feature in rasqlinsert doesnot work?
Rahimeh Khodadadi
rahimeh.khodadadi at gmail.com
Tue Jul 23 11:02:13 EDT 2013
Thank you very much indeed Carter.
I test the simple command like ralabel -f ralabel.conf -r argus.data -s
stime dur saddr sas daddr das, at that time it gives just saddr, daddr,
stime and dur.
Yes I download the file "GeoIPASNum.dat" and have coped that directory.
I don't know where is the problem?
On Tue, Jul 23, 2013 at 7:18 PM, Carter Bullard <carter at qosient.com> wrote:
> Please. Use the available tools to demonstrate to yourself that you can
> generate useful data.
> Then use programs like rasqlinsert() to push the data into a database
> table.
>
> argus -r packet.data -w argus.data
>
> now you can use the tools to educate yourself on how the tools work.
>
> ralabel -f ralabel.conf -r argus.data -s stime dur saddr sas daddr das
>
> Set one method in ralabel() at a time, until you understand how the tools
> work.
> Your ralabel.conf file references the
> file /usr/local/share/GeoIP/GeoIPASNum.dat.
> Does it exist ?
>
> What do your labels look like?
>
> ralabel -f ralabel.conf -r argus.data -s stime dur saddr daddr label:64
>
>
> Carter
>
>
> On Jul 23, 2013, at 10:39 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
> At first, I appreciate for your time and apologize for bothering you with
> my questions. I really need it for my works.
> I'm so sorry, but this post for yesterday, not a few weeks ago,
> I have red several time the manual of commands, but I think somewhere I
> make mistake.
>
> This is peice of my database. The feature is not work
>
> stime ltime dur srcid flgs proto saddr sport dir daddr dport pkts bytes
> state spkts dpkts sbytes dbytes das sas record 1.37E+09 1.37E+09 103.668
> 0.0.0.0 e sD tcp 192.168.2.159 1066 -> 74.125.143.16 465 23616 12965059
> FIN 8022 15594 12026652 938407 0 0 ... 1.37E+09 1.37E+09 71.71558 0.0.0.0 e
> dS tcp 74.125.143.16 465 <?> 192.168.2.157 1047 12027 7356979 FIN 7368
> 4659 442223 6914756 0 0 ... 1.37E+09 1.37E+09 49.26319 0.0.0.0 e dS tcp
> 74.125.143.16 465 <?> 192.168.2.160 1043 7924 4842419 FIN 4869 3055 292283
> 4550136 0 0 ... 1.37E+09 1.37E+09 38.95642 0.0.0.0 e dS tcp 74.125.143.16
> 465 <?> 192.168.2.156 1047 6129 3729166 FIN 3768 2361 226225 3502941 0 0
> ...
> Again I thanks for your helps, and wish the best for you.
>
>
>
> On Tue, Jul 23, 2013 at 6:53 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> I apologize, but why is it that you show up only a few weeks ago, and now
>> everything is urgent ?
>> This is a developers mailing list, not a " I can't read the manual " list.
>>
>> Please try to learn how to use the tools before bombarding the list with
>> your requests for training.
>>
>> You did not show what IP addresses have 0 AS numbers, I will presume that
>> the feature works.
>>
>> Carter
>>
>>
>> On Jul 23, 2013, at 10:06 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com> wrote:
>>
>> Is there any Idea for solving it???
>> I need urgently
>>
>> Thanks in advance
>>
>>
>> On Tue, Jul 23, 2013 at 5:21 PM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com> wrote:
>>
>>> My ralabel.conf file the same below: and I copy it to /etc/ and
>>> /usr/local/argus/ directories.
>>> The all of Ip address are 0,
>>>
>>> #
>>> # Argus Client Software
>>> # Copyright (c) 2000-2013 QoSient, LLC
>>> # All rights reserved.
>>> #
>>> #
>>> # RaLabel Configuration
>>> #
>>> # Carter Bullard
>>> # QoSient, LLC
>>> #
>>> # This configuration is a ralabel(1) configuration file.
>>> #
>>> # The concept is to provide a number of labeling strategies
>>> # with configuration capabilities for each of the labelers.
>>> # This allows the user to specify the order of the labeling,
>>> # which is provided to support hierarchical labeling.
>>> #
>>> # Here is a valid and simple configuration file. It doesn't do
>>> # anything in particular, but it is one that is used at some sites.
>>> #
>>>
>>> # Supported Labeling Strategies
>>> # Addresss Based Classification
>>> # Address based classifications involve building a patricia tree
>>> # that we can hang labels against. The strategy is to order the
>>> # address label configuration files, to develop a hierarchical
>>> # label scheme.
>>> #
>>>
>>> # IANA IPv4 and IPv6 Address Classification Labeling
>>> #
>>> # The type of IP network address can be used by many analysis
>>> # programs to make decisions. While IANA standard classifications
>>> # don't change, this type of classification should be extendable
>>> # to allow local sites to provide additional labeling capabilities.
>>>
>>> #RALABEL_IANA_ADDRESS=yes
>>> #RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/iana-address-file"
>>>
>>>
>>> # Addresss Based Country Code Classification
>>> # Address based country code classification leverages the feature
>>> # where ra* clients cant print country codes for the IP addresses
>>> # that are in a flow record. Country codes are generated from the
>>> ARIN
>>> # delegated address space files. Specify the location of your
>>> # DELEGATED_IP file here, or in your .rarc file (which is default).
>>> #
>>> # Unlike the GeoIP based country code labeling, these codes can be
>>> sorted
>>> # filtered and aggregated, so if you want to do that type of
>>> operations
>>> # with country codes, enable this feature here.
>>> #
>>>
>>> #RALABEL_ARIN_COUNTRY_CODES=yes
>>> #RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
>>>
>>>
>>> # BIND Based Classification
>>> # BIND services provide address to name translations, and these
>>> # reverse lookup strategies can provide FQDN labels, or domain
>>> # labels that can be added to flow. The IP addresses that can be
>>> # 'labeled' are the saddr, daddr, or inode. Keywords "yes" and "all"
>>> # are synonomous and result in labeling all three IP addresses.
>>> #
>>> # Use this strategy to provide transient semantic enhancement based
>>> # on ip address values.
>>> #
>>>
>>> #RALABEL_BIND_NAME="all"
>>>
>>> #
>>> # When labelers provide names, they can use blocking or non-blocking
>>> # resolvers to perform the lookups. Blocking, the default, will cause
>>> # the labeler to wait for resolutions to return. This ensures that the
>>> # label will have the best answer in every flow record process,
>>> however
>>> # blocking resolvers can cause performance issues. Non-blocking will
>>> # queue lookups and establish its name resolution cache, in a lazy
>>> # manner.
>>>
>>> #RALABEL_BIND_NON_BLOCKING="no""
>>>
>>> #
>>> # When labelers provide names, they can prit the FQDN, the host
>>> portion
>>> # or just the domain name, depending on your uses of the name label.
>>> #
>>>
>>> #RALABEL_PRINT_DOMAINONLY="no"
>>> #RALABEL_PRINT_LOCALONLY="no"
>>>
>>> #
>>> # All name resolutions are cached, to improve performance. This
>>> provides
>>> # the best performance, however, for long lived labeling daemons, a
>>> timeout
>>> # or TTL, can be placed on the name table, so that the labeler will
>>> # periodically requery for resolutions.
>>> #
>>> # The default is -1, which disables cache timeouts.
>>> # Zero (0) will turn off any caching and will have a performance
>>> impact.
>>>
>>> #RALABEL_DNS_NAME_CACHE_TIMEOUT=-1
>>>
>>>
>>>
>>> # Port Based Classification
>>> # Port based classifications involves simple assignment of a text
>>> # label to a specific port number. While IANA standard
>>> classifications
>>> # are supported throught the Unix /etc/services file assignments,
>>> # and the basic "src port" and "dst port" ra* filter schemes,
>>> # this scheme is used to enhance/modify that labeling strategy.
>>> # The text associated with a port number is placed in the metadata
>>> # label field, and is searched using the regular expression searching
>>> # strategies that are available to label matching.
>>> #
>>> # Use this strategy to provide transient semantic enhancement based
>>> # on port values.
>>> #
>>>
>>> #RALABEL_IANA_PORT=yes
>>> #RALABEL_IANA_PORT_FILE="/usr/local/argus/iana-port-numbers"
>>>
>>>
>>> # Flow Filter Based Classification
>>> # Flow filter based classification uses the standard flow
>>> # filter strategies to provide a general purpose labeling scheme.
>>> # The concept is similar to racluster()'s fall through matching
>>> # scheme. Fall through the list of filters, if it matches, add the
>>> # label. If you want to continue through the list, once there is
>>> # a match, add a "cont" to the end of the matching rule.
>>> #
>>>
>>> RALABEL_ARGUS_FLOW=yes
>>> RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/argus-flow-file"
>>>
>>>
>>> # GeoIP Based Labeling
>>> # The labeling features can use the databases provided by MaxMind
>>> # using the GeoIP LGPL libraries. If your code was configured to use
>>> # these libraries, then enable the features here.
>>> #
>>> # GeoIP provides a lot of support for geo-location, configure support
>>> # by enabling a feature and providing the appropriate binary data
>>> files.
>>> # ASN reporting is done from a separate set of data files, obtained
>>> from
>>> # MaxMind.com <http://maxmind.com/>, and so enabling this feature is
>>> independent of the
>>> # traditional city data available.
>>> #
>>>
>>> RALABEL_GEOIP_ASN=yes
>>> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
>>> RALABEL_GEOIP_V6_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNumv6.dat"
>>>
>>> #
>>> # Data for city relevant data is enabled through enabling and
>>> configuring
>>> # the city database support. The types of data available are:
>>> # country_code, country_code3, country_name, region, city,
>>> postal_code,
>>> # latitude, longitude, metro_code, area_code and continent_code.
>>> # time_offset is also available.
>>> #
>>> # The concept is that you should be able to add semantics for any
>>> # IP address that is in the argus record. Support addresses are:
>>> #
>>> # saddr, daddr, inode
>>> #
>>> # The labels provided will be tagged as:
>>> # scity, dcity, icity
>>> #
>>> # To configure what you want to have placed in the label, use the
>>> list of
>>> # objects, in whatever order you like, as the RALABEL_GEOPIP_CITY
>>> string
>>> # using these keywords:
>>> # cco - country_code
>>> # cco3 - country_code3
>>> # cname - country_name
>>> # reg - region
>>> # city - city
>>> # pcode - postal_code
>>> # lat - latitude
>>> # long - longitude
>>> # metro - metro_code
>>> # area - area_code
>>> # cont - continent_code
>>> # off - GMT time offset
>>> #
>>> # Working examples could be:
>>> # RALABEL_GEOIP_CITY="saddr,daddr:lat/lon"
>>> # RALABEL_GEOIP_CITY="*:city,region,cname,lat,lon"
>>> #
>>> RALABEL_GEOIP_CITY="saddr,daddr,inode:off,cont,lat,lon"
>>> RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIP.dat"
>>> RALABEL_GEOIP_V6_CITY_FILE="/usr/local/share/GeoIP/GeoIPv6.dat"
>>>
>>>
>>> On Tue, Jul 23, 2013 at 5:03 PM, Carter Bullard <carter at qosient.com>wrote:
>>>
>>>> what are the contents of your ralabel.conf file, and what addresses are
>>>> reporting 0?
>>>> simply stating that something is not working is very impolite.
>>>>
>>>> Carter
>>>>
>>>> On Jul 23, 2013, at 8:28 AM, Rahimeh Khodadadi <
>>>> rahimeh.khodadadi at gmail.com> wrote:
>>>>
>>>> I solve the problem by this command, but still the value of sas,
>>>> dasare zero?????
>>>>
>>>> argus -r pcaped.pcap -F /dev/null -w - | ralabel -f ralabel.conf -r -
>>>> -w - -s +sas +das | rasqlinsert -r - -w mysql://root@localhost/argus/a
>>>> -s stime ltime dur srcid flgs proto saddr sport dir daddr dport pkts
>>>> bytes state spkts dpkts sbytes dbytes das sas
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Jul 23, 2013 at 10:59 AM, Mike Iglesias <iglesias at uci.edu>wrote:
>>>>
>>>>> On 07/22/2013 10:54 PM, Rahimeh Khodadadi wrote:
>>>>> > Thank you very much indeed Matt, but when I run the command gives
>>>>> such a erorr:
>>>>>
>>>>> If you're not using the latest code that Carter put up today, try that
>>>>> and see
>>>>> if it fixes this error. http://qosient.com/argus/dev/
>>>>>
>>>>>
>>>>> --
>>>>> Mike Iglesias Email: iglesias at uci.edu
>>>>> University of California, Irvine phone: 949-824-6926
>>>>> Office of Information Technology FAX: 949-824-2270
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> With Best Regards
>>>> Rahimeh Khodadadi
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> With Best Regards
>>> Rahimeh Khodadadi
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>
>
--
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130723/44f0e6f1/attachment.html>
More information about the argus
mailing list