Why sas das feature in rasqlinsert doesnot work?
Rahimeh Khodadadi
rahimeh.khodadadi at gmail.com
Tue Jul 23 11:12:02 EDT 2013
When I run this command gives me like:
13:23:44.038524 0.000000 192.168.2.158 46.203.170.143
13:23:45.425982 2.959139 192.168.2.157 173.194.71.16
13:23:48.721902 0.000000 192.168.2.160 99.181.217.139
13:23:48.894962 0.000401 192.168.2.158 192.168.2.254
13:23:48.895565 0.000318 192.168.2.158 192.168.2.254
all commands is good but the sas, das filed just don't work.
On Tue, Jul 23, 2013 at 7:36 PM, Carter Bullard <carter at qosient.com> wrote:
> You are not providing the information requested.
> Your ralabel.conf file has a large number of operations. Geolocation
> data, AS labeling,
> and flow labeling.
>
> What is the label that is being generated by ralabel() when you run it.
>
> ralabel -f ralabel.conf -r argus.data -s stime dur saddr daddr label:64
>
> If you don't think ralabel is doing the right thing, run it with the "-D
> 12" option,
> assuming you have turned on debugging, to see what it thinks is going on.
>
> Carter
>
> On Jul 23, 2013, at 11:02 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
> Thank you very much indeed Carter.
> I test the simple command like ralabel -f ralabel.conf -r argus.data -s
> stime dur saddr sas daddr das, at that time it gives just saddr, daddr,
> stime and dur.
>
> Yes I download the file "GeoIPASNum.dat" and have coped that directory.
> I don't know where is the problem?
>
>
> On Tue, Jul 23, 2013 at 7:18 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> Please. Use the available tools to demonstrate to yourself that you can
>> generate useful data.
>> Then use programs like rasqlinsert() to push the data into a database
>> table.
>>
>> argus -r packet.data -w argus.data
>>
>> now you can use the tools to educate yourself on how the tools work.
>>
>> ralabel -f ralabel.conf -r argus.data -s stime dur saddr sas daddr das
>>
>> Set one method in ralabel() at a time, until you understand how the tools
>> work.
>> Your ralabel.conf file references the
>> file /usr/local/share/GeoIP/GeoIPASNum.dat.
>> Does it exist ?
>>
>> What do your labels look like?
>>
>> ralabel -f ralabel.conf -r argus.data -s stime dur saddr daddr label:64
>>
>>
>> Carter
>>
>>
>> On Jul 23, 2013, at 10:39 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com> wrote:
>>
>> At first, I appreciate for your time and apologize for bothering you with
>> my questions. I really need it for my works.
>> I'm so sorry, but this post for yesterday, not a few weeks ago,
>> I have red several time the manual of commands, but I think somewhere I
>> make mistake.
>>
>> This is peice of my database. The feature is not work
>>
>> stime ltime dur srcid flgs proto saddr sport dir daddr dport pkts bytes
>> state spkts dpkts sbytes dbytes das sas record 1.37E+09 1.37E+09 103.668
>> 0.0.0.0 e sD tcp 192.168.2.159 1066 -> 74.125.143.16 465 23616 12965059
>> FIN 8022 15594 12026652 938407 0 0 ... 1.37E+09 1.37E+09 71.71558
>> 0.0.0.0 e dS tcp 74.125.143.16 465 <?> 192.168.2.157 1047 12027 7356979
>> FIN 7368 4659 442223 6914756 0 0 ... 1.37E+09 1.37E+09 49.26319 0.0.0.0 e
>> dS tcp 74.125.143.16 465 <?> 192.168.2.160 1043 7924 4842419 FIN 4869
>> 3055 292283 4550136 0 0 ... 1.37E+09 1.37E+09 38.95642 0.0.0.0 e dS tcp
>> 74.125.143.16 465 <?> 192.168.2.156 1047 6129 3729166 FIN 3768 2361
>> 226225 3502941 0 0 ...
>> Again I thanks for your helps, and wish the best for you.
>>
>>
>>
>> On Tue, Jul 23, 2013 at 6:53 PM, Carter Bullard <carter at qosient.com>wrote:
>>
>>> I apologize, but why is it that you show up only a few weeks ago, and
>>> now everything is urgent ?
>>> This is a developers mailing list, not a " I can't read the manual "
>>> list.
>>>
>>> Please try to learn how to use the tools before bombarding the list with
>>> your requests for training.
>>>
>>> You did not show what IP addresses have 0 AS numbers, I will presume
>>> that the feature works.
>>>
>>> Carter
>>>
>>>
>>> On Jul 23, 2013, at 10:06 AM, Rahimeh Khodadadi <
>>> rahimeh.khodadadi at gmail.com> wrote:
>>>
>>> Is there any Idea for solving it???
>>> I need urgently
>>>
>>> Thanks in advance
>>>
>>>
>>> On Tue, Jul 23, 2013 at 5:21 PM, Rahimeh Khodadadi <
>>> rahimeh.khodadadi at gmail.com> wrote:
>>>
>>>> My ralabel.conf file the same below: and I copy it to /etc/ and
>>>> /usr/local/argus/ directories.
>>>> The all of Ip address are 0,
>>>>
>>>> #
>>>> # Argus Client Software
>>>> # Copyright (c) 2000-2013 QoSient, LLC
>>>> # All rights reserved.
>>>> #
>>>> #
>>>> # RaLabel Configuration
>>>> #
>>>> # Carter Bullard
>>>> # QoSient, LLC
>>>> #
>>>> # This configuration is a ralabel(1) configuration file.
>>>> #
>>>> # The concept is to provide a number of labeling strategies
>>>> # with configuration capabilities for each of the labelers.
>>>> # This allows the user to specify the order of the labeling,
>>>> # which is provided to support hierarchical labeling.
>>>> #
>>>> # Here is a valid and simple configuration file. It doesn't do
>>>> # anything in particular, but it is one that is used at some sites.
>>>> #
>>>>
>>>> # Supported Labeling Strategies
>>>> # Addresss Based Classification
>>>> # Address based classifications involve building a patricia tree
>>>> # that we can hang labels against. The strategy is to order the
>>>> # address label configuration files, to develop a hierarchical
>>>> # label scheme.
>>>> #
>>>>
>>>> # IANA IPv4 and IPv6 Address Classification Labeling
>>>> #
>>>> # The type of IP network address can be used by many analysis
>>>> # programs to make decisions. While IANA standard classifications
>>>> # don't change, this type of classification should be extendable
>>>> # to allow local sites to provide additional labeling capabilities.
>>>>
>>>> #RALABEL_IANA_ADDRESS=yes
>>>> #RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/iana-address-file"
>>>>
>>>>
>>>> # Addresss Based Country Code Classification
>>>> # Address based country code classification leverages the feature
>>>> # where ra* clients cant print country codes for the IP addresses
>>>> # that are in a flow record. Country codes are generated from the
>>>> ARIN
>>>> # delegated address space files. Specify the location of your
>>>> # DELEGATED_IP file here, or in your .rarc file (which is default).
>>>> #
>>>> # Unlike the GeoIP based country code labeling, these codes can be
>>>> sorted
>>>> # filtered and aggregated, so if you want to do that type of
>>>> operations
>>>> # with country codes, enable this feature here.
>>>> #
>>>>
>>>> #RALABEL_ARIN_COUNTRY_CODES=yes
>>>> #RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
>>>>
>>>>
>>>> # BIND Based Classification
>>>> # BIND services provide address to name translations, and these
>>>> # reverse lookup strategies can provide FQDN labels, or domain
>>>> # labels that can be added to flow. The IP addresses that can be
>>>> # 'labeled' are the saddr, daddr, or inode. Keywords "yes" and "all"
>>>> # are synonomous and result in labeling all three IP addresses.
>>>> #
>>>> # Use this strategy to provide transient semantic enhancement based
>>>> # on ip address values.
>>>> #
>>>>
>>>> #RALABEL_BIND_NAME="all"
>>>>
>>>> #
>>>> # When labelers provide names, they can use blocking or non-blocking
>>>> # resolvers to perform the lookups. Blocking, the default, will
>>>> cause
>>>> # the labeler to wait for resolutions to return. This ensures that
>>>> the
>>>> # label will have the best answer in every flow record process,
>>>> however
>>>> # blocking resolvers can cause performance issues. Non-blocking will
>>>> # queue lookups and establish its name resolution cache, in a lazy
>>>> # manner.
>>>>
>>>> #RALABEL_BIND_NON_BLOCKING="no""
>>>>
>>>> #
>>>> # When labelers provide names, they can prit the FQDN, the host
>>>> portion
>>>> # or just the domain name, depending on your uses of the name label.
>>>> #
>>>>
>>>> #RALABEL_PRINT_DOMAINONLY="no"
>>>> #RALABEL_PRINT_LOCALONLY="no"
>>>>
>>>> #
>>>> # All name resolutions are cached, to improve performance. This
>>>> provides
>>>> # the best performance, however, for long lived labeling daemons, a
>>>> timeout
>>>> # or TTL, can be placed on the name table, so that the labeler will
>>>> # periodically requery for resolutions.
>>>> #
>>>> # The default is -1, which disables cache timeouts.
>>>> # Zero (0) will turn off any caching and will have a performance
>>>> impact.
>>>>
>>>> #RALABEL_DNS_NAME_CACHE_TIMEOUT=-1
>>>>
>>>>
>>>>
>>>> # Port Based Classification
>>>> # Port based classifications involves simple assignment of a text
>>>> # label to a specific port number. While IANA standard
>>>> classifications
>>>> # are supported throught the Unix /etc/services file assignments,
>>>> # and the basic "src port" and "dst port" ra* filter schemes,
>>>> # this scheme is used to enhance/modify that labeling strategy.
>>>> # The text associated with a port number is placed in the metadata
>>>> # label field, and is searched using the regular expression searching
>>>> # strategies that are available to label matching.
>>>> #
>>>> # Use this strategy to provide transient semantic enhancement
>>>> based
>>>> # on port values.
>>>> #
>>>>
>>>> #RALABEL_IANA_PORT=yes
>>>> #RALABEL_IANA_PORT_FILE="/usr/local/argus/iana-port-numbers"
>>>>
>>>>
>>>> # Flow Filter Based Classification
>>>> # Flow filter based classification uses the standard flow
>>>> # filter strategies to provide a general purpose labeling scheme.
>>>> # The concept is similar to racluster()'s fall through matching
>>>> # scheme. Fall through the list of filters, if it matches, add the
>>>> # label. If you want to continue through the list, once there is
>>>> # a match, add a "cont" to the end of the matching rule.
>>>> #
>>>>
>>>> RALABEL_ARGUS_FLOW=yes
>>>> RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/argus-flow-file"
>>>>
>>>>
>>>> # GeoIP Based Labeling
>>>> # The labeling features can use the databases provided by MaxMind
>>>> # using the GeoIP LGPL libraries. If your code was configured to use
>>>> # these libraries, then enable the features here.
>>>> #
>>>> # GeoIP provides a lot of support for geo-location, configure support
>>>> # by enabling a feature and providing the appropriate binary data
>>>> files.
>>>> # ASN reporting is done from a separate set of data files, obtained
>>>> from
>>>> # MaxMind.com <http://maxmind.com/>, and so enabling this feature
>>>> is independent of the
>>>> # traditional city data available.
>>>> #
>>>>
>>>> RALABEL_GEOIP_ASN=yes
>>>> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
>>>> RALABEL_GEOIP_V6_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNumv6.dat"
>>>>
>>>> #
>>>> # Data for city relevant data is enabled through enabling and
>>>> configuring
>>>> # the city database support. The types of data available are:
>>>> # country_code, country_code3, country_name, region, city,
>>>> postal_code,
>>>> # latitude, longitude, metro_code, area_code and continent_code.
>>>> # time_offset is also available.
>>>> #
>>>> # The concept is that you should be able to add semantics for any
>>>> # IP address that is in the argus record. Support addresses are:
>>>> #
>>>> # saddr, daddr, inode
>>>> #
>>>> # The labels provided will be tagged as:
>>>> # scity, dcity, icity
>>>> #
>>>> # To configure what you want to have placed in the label, use the
>>>> list of
>>>> # objects, in whatever order you like, as the RALABEL_GEOPIP_CITY
>>>> string
>>>> # using these keywords:
>>>> # cco - country_code
>>>> # cco3 - country_code3
>>>> # cname - country_name
>>>> # reg - region
>>>> # city - city
>>>> # pcode - postal_code
>>>> # lat - latitude
>>>> # long - longitude
>>>> # metro - metro_code
>>>> # area - area_code
>>>> # cont - continent_code
>>>> # off - GMT time offset
>>>> #
>>>> # Working examples could be:
>>>> # RALABEL_GEOIP_CITY="saddr,daddr:lat/lon"
>>>> # RALABEL_GEOIP_CITY="*:city,region,cname,lat,lon"
>>>> #
>>>> RALABEL_GEOIP_CITY="saddr,daddr,inode:off,cont,lat,lon"
>>>> RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIP.dat"
>>>> RALABEL_GEOIP_V6_CITY_FILE="/usr/local/share/GeoIP/GeoIPv6.dat"
>>>>
>>>>
>>>> On Tue, Jul 23, 2013 at 5:03 PM, Carter Bullard <carter at qosient.com>wrote:
>>>>
>>>>> what are the contents of your ralabel.conf file, and what addresses
>>>>> are reporting 0?
>>>>> simply stating that something is not working is very impolite.
>>>>>
>>>>> Carter
>>>>>
>>>>> On Jul 23, 2013, at 8:28 AM, Rahimeh Khodadadi <
>>>>> rahimeh.khodadadi at gmail.com> wrote:
>>>>>
>>>>> I solve the problem by this command, but still the value of sas,
>>>>> dasare zero?????
>>>>>
>>>>> argus -r pcaped.pcap -F /dev/null -w - | ralabel -f ralabel.conf -r
>>>>> - -w - -s +sas +das | rasqlinsert -r - -w
>>>>> mysql://root@localhost/argus/a -s stime ltime dur srcid flgs proto
>>>>> saddr sport dir daddr dport pkts bytes state spkts dpkts sbytes dbytes
>>>>> das sas
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Jul 23, 2013 at 10:59 AM, Mike Iglesias <iglesias at uci.edu>wrote:
>>>>>
>>>>>> On 07/22/2013 10:54 PM, Rahimeh Khodadadi wrote:
>>>>>> > Thank you very much indeed Matt, but when I run the command gives
>>>>>> such a erorr:
>>>>>>
>>>>>> If you're not using the latest code that Carter put up today, try
>>>>>> that and see
>>>>>> if it fixes this error. http://qosient.com/argus/dev/
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Mike Iglesias Email: iglesias at uci.edu
>>>>>> University of California, Irvine phone: 949-824-6926
>>>>>> Office of Information Technology FAX: 949-824-2270
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> With Best Regards
>>>>> Rahimeh Khodadadi
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> With Best Regards
>>>> Rahimeh Khodadadi
>>>>
>>>>
>>>
>>>
>>> --
>>> With Best Regards
>>> Rahimeh Khodadadi
>>>
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>
>
--
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130723/49838f59/attachment.html>
More information about the argus
mailing list