Why sas das feature in rasqlinsert doesnot work?
Carter Bullard
carter at qosient.com
Tue Jul 23 11:29:37 EDT 2013
No, no no no no !!!!
Have you not done even the simplest of things to get started?
Why aren't you getting column labels in your printout?
Don't you have a .rarc file installed? ( cp ./support/Config/rarc ~/.rarc )
Where is the label ?
Why aren't you showing what command you actually ran ??
Have you installed the GeoIP C language libraries ??
Did you read the descriptions of how to use GeoIP from the web site?
Did you re-configure and recompile your client code after you installed the library ?
Did you demonstrate to yourself, that the configure found the GeoIP library successfully ?
Did you demonstrate to yourself that the linker uses the -lGeoIP option ??
What is the output of " ldd /usr/local/bin/ralabel " ?? Is there mention of the GeoIP library ?
Did you run with the " -D 12 " option ????
Please, do a bit more than simply state " it doesn't work ".
Carter
On Jul 23, 2013, at 11:12 AM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:
> When I run this command gives me like:
>
> 13:23:44.038524 0.000000 192.168.2.158 46.203.170.143
> 13:23:45.425982 2.959139 192.168.2.157 173.194.71.16
> 13:23:48.721902 0.000000 192.168.2.160 99.181.217.139
> 13:23:48.894962 0.000401 192.168.2.158 192.168.2.254
> 13:23:48.895565 0.000318 192.168.2.158 192.168.2.254
>
> all commands is good but the sas, das filed just don't work.
>
>
> On Tue, Jul 23, 2013 at 7:36 PM, Carter Bullard <carter at qosient.com> wrote:
> You are not providing the information requested.
> Your ralabel.conf file has a large number of operations. Geolocation data, AS labeling,
> and flow labeling.
>
> What is the label that is being generated by ralabel() when you run it.
>
> ralabel -f ralabel.conf -r argus.data -s stime dur saddr daddr label:64
>
> If you don't think ralabel is doing the right thing, run it with the "-D 12" option,
> assuming you have turned on debugging, to see what it thinks is going on.
>
> Carter
>
> On Jul 23, 2013, at 11:02 AM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:
>
>> Thank you very much indeed Carter.
>> I test the simple command like ralabel -f ralabel.conf -r argus.data -s stime dur saddr sas daddr das, at that time it gives just saddr, daddr, stime and dur.
>>
>> Yes I download the file "GeoIPASNum.dat" and have coped that directory.
>> I don't know where is the problem?
>>
>>
>> On Tue, Jul 23, 2013 at 7:18 PM, Carter Bullard <carter at qosient.com> wrote:
>> Please. Use the available tools to demonstrate to yourself that you can generate useful data.
>> Then use programs like rasqlinsert() to push the data into a database table.
>>
>> argus -r packet.data -w argus.data
>>
>> now you can use the tools to educate yourself on how the tools work.
>>
>> ralabel -f ralabel.conf -r argus.data -s stime dur saddr sas daddr das
>>
>> Set one method in ralabel() at a time, until you understand how the tools work.
>> Your ralabel.conf file references the file /usr/local/share/GeoIP/GeoIPASNum.dat.
>> Does it exist ?
>>
>> What do your labels look like?
>>
>> ralabel -f ralabel.conf -r argus.data -s stime dur saddr daddr label:64
>>
>>
>> Carter
>>
>>
>> On Jul 23, 2013, at 10:39 AM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:
>>
>>> At first, I appreciate for your time and apologize for bothering you with my questions. I really need it for my works.
>>> I'm so sorry, but this post for yesterday, not a few weeks ago,
>>> I have red several time the manual of commands, but I think somewhere I make mistake.
>>>
>>> This is peice of my database. The feature is not work
>>>
>>> stime ltime dur srcid flgs proto saddr sport dir daddr dport pkts bytes state spkts dpkts sbytes dbytes das sas record
>>> 1.37E+09 1.37E+09 103.668 0.0.0.0 e sD tcp 192.168.2.159 1066 -> 74.125.143.16 465 23616 12965059 FIN 8022 15594 12026652 938407 0 0 ...
>>> 1.37E+09 1.37E+09 71.71558 0.0.0.0 e dS tcp 74.125.143.16 465 <?> 192.168.2.157 1047 12027 7356979 FIN 7368 4659 442223 6914756 0 0 ...
>>> 1.37E+09 1.37E+09 49.26319 0.0.0.0 e dS tcp 74.125.143.16 465 <?> 192.168.2.160 1043 7924 4842419 FIN 4869 3055 292283 4550136 0 0 ...
>>> 1.37E+09 1.37E+09 38.95642 0.0.0.0 e dS tcp 74.125.143.16 465 <?> 192.168.2.156 1047 6129 3729166 FIN 3768 2361 226225 3502941 0 0 ...
>>>
>>> Again I thanks for your helps, and wish the best for you.
>>>
>>>
>>>
>>> On Tue, Jul 23, 2013 at 6:53 PM, Carter Bullard <carter at qosient.com> wrote:
>>> I apologize, but why is it that you show up only a few weeks ago, and now everything is urgent ?
>>> This is a developers mailing list, not a " I can't read the manual " list.
>>>
>>> Please try to learn how to use the tools before bombarding the list with your requests for training.
>>>
>>> You did not show what IP addresses have 0 AS numbers, I will presume that the feature works.
>>>
>>> Carter
>>>
>>>
>>> On Jul 23, 2013, at 10:06 AM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:
>>>
>>>> Is there any Idea for solving it???
>>>> I need urgently
>>>>
>>>> Thanks in advance
>>>>
>>>>
>>>> On Tue, Jul 23, 2013 at 5:21 PM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:
>>>> My ralabel.conf file the same below: and I copy it to /etc/ and /usr/local/argus/ directories.
>>>> The all of Ip address are 0,
>>>>
>>>> #
>>>> # Argus Client Software
>>>> # Copyright (c) 2000-2013 QoSient, LLC
>>>> # All rights reserved.
>>>> #
>>>> #
>>>> # RaLabel Configuration
>>>> #
>>>> # Carter Bullard
>>>> # QoSient, LLC
>>>> #
>>>> # This configuration is a ralabel(1) configuration file.
>>>> #
>>>> # The concept is to provide a number of labeling strategies
>>>> # with configuration capabilities for each of the labelers.
>>>> # This allows the user to specify the order of the labeling,
>>>> # which is provided to support hierarchical labeling.
>>>> #
>>>> # Here is a valid and simple configuration file. It doesn't do
>>>> # anything in particular, but it is one that is used at some sites.
>>>> #
>>>>
>>>> # Supported Labeling Strategies
>>>> # Addresss Based Classification
>>>> # Address based classifications involve building a patricia tree
>>>> # that we can hang labels against. The strategy is to order the
>>>> # address label configuration files, to develop a hierarchical
>>>> # label scheme.
>>>> #
>>>>
>>>> # IANA IPv4 and IPv6 Address Classification Labeling
>>>> #
>>>> # The type of IP network address can be used by many analysis
>>>> # programs to make decisions. While IANA standard classifications
>>>> # don't change, this type of classification should be extendable
>>>> # to allow local sites to provide additional labeling capabilities.
>>>>
>>>> #RALABEL_IANA_ADDRESS=yes
>>>> #RALABEL_IANA_ADDRESS_FILE="/usr/local/argus/iana-address-file"
>>>>
>>>>
>>>> # Addresss Based Country Code Classification
>>>> # Address based country code classification leverages the feature
>>>> # where ra* clients cant print country codes for the IP addresses
>>>> # that are in a flow record. Country codes are generated from the ARIN
>>>> # delegated address space files. Specify the location of your
>>>> # DELEGATED_IP file here, or in your .rarc file (which is default).
>>>> #
>>>> # Unlike the GeoIP based country code labeling, these codes can be sorted
>>>> # filtered and aggregated, so if you want to do that type of operations
>>>> # with country codes, enable this feature here.
>>>> #
>>>>
>>>> #RALABEL_ARIN_COUNTRY_CODES=yes
>>>> #RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"
>>>>
>>>>
>>>> # BIND Based Classification
>>>> # BIND services provide address to name translations, and these
>>>> # reverse lookup strategies can provide FQDN labels, or domain
>>>> # labels that can be added to flow. The IP addresses that can be
>>>> # 'labeled' are the saddr, daddr, or inode. Keywords "yes" and "all"
>>>> # are synonomous and result in labeling all three IP addresses.
>>>> #
>>>> # Use this strategy to provide transient semantic enhancement based
>>>> # on ip address values.
>>>> #
>>>>
>>>> #RALABEL_BIND_NAME="all"
>>>>
>>>> #
>>>> # When labelers provide names, they can use blocking or non-blocking
>>>> # resolvers to perform the lookups. Blocking, the default, will cause
>>>> # the labeler to wait for resolutions to return. This ensures that the
>>>> # label will have the best answer in every flow record process, however
>>>> # blocking resolvers can cause performance issues. Non-blocking will
>>>> # queue lookups and establish its name resolution cache, in a lazy
>>>> # manner.
>>>>
>>>> #RALABEL_BIND_NON_BLOCKING="no""
>>>>
>>>> #
>>>> # When labelers provide names, they can prit the FQDN, the host portion
>>>> # or just the domain name, depending on your uses of the name label.
>>>> #
>>>>
>>>> #RALABEL_PRINT_DOMAINONLY="no"
>>>> #RALABEL_PRINT_LOCALONLY="no"
>>>>
>>>> #
>>>> # All name resolutions are cached, to improve performance. This provides
>>>> # the best performance, however, for long lived labeling daemons, a timeout
>>>> # or TTL, can be placed on the name table, so that the labeler will
>>>> # periodically requery for resolutions.
>>>> #
>>>> # The default is -1, which disables cache timeouts.
>>>> # Zero (0) will turn off any caching and will have a performance impact.
>>>>
>>>> #RALABEL_DNS_NAME_CACHE_TIMEOUT=-1
>>>>
>>>>
>>>>
>>>> # Port Based Classification
>>>> # Port based classifications involves simple assignment of a text
>>>> # label to a specific port number. While IANA standard classifications
>>>> # are supported throught the Unix /etc/services file assignments,
>>>> # and the basic "src port" and "dst port" ra* filter schemes,
>>>> # this scheme is used to enhance/modify that labeling strategy.
>>>> # The text associated with a port number is placed in the metadata
>>>> # label field, and is searched using the regular expression searching
>>>> # strategies that are available to label matching.
>>>> #
>>>> # Use this strategy to provide transient semantic enhancement based
>>>> # on port values.
>>>> #
>>>>
>>>> #RALABEL_IANA_PORT=yes
>>>> #RALABEL_IANA_PORT_FILE="/usr/local/argus/iana-port-numbers"
>>>>
>>>>
>>>> # Flow Filter Based Classification
>>>> # Flow filter based classification uses the standard flow
>>>> # filter strategies to provide a general purpose labeling scheme.
>>>> # The concept is similar to racluster()'s fall through matching
>>>> # scheme. Fall through the list of filters, if it matches, add the
>>>> # label. If you want to continue through the list, once there is
>>>> # a match, add a "cont" to the end of the matching rule.
>>>> #
>>>>
>>>> RALABEL_ARGUS_FLOW=yes
>>>> RALABEL_ARGUS_FLOW_FILE="/usr/local/argus/argus-flow-file"
>>>>
>>>>
>>>> # GeoIP Based Labeling
>>>> # The labeling features can use the databases provided by MaxMind
>>>> # using the GeoIP LGPL libraries. If your code was configured to use
>>>> # these libraries, then enable the features here.
>>>> #
>>>> # GeoIP provides a lot of support for geo-location, configure support
>>>> # by enabling a feature and providing the appropriate binary data files.
>>>> # ASN reporting is done from a separate set of data files, obtained from
>>>> # MaxMind.com, and so enabling this feature is independent of the
>>>> # traditional city data available.
>>>> #
>>>>
>>>> RALABEL_GEOIP_ASN=yes
>>>> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
>>>> RALABEL_GEOIP_V6_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNumv6.dat"
>>>>
>>>> #
>>>> # Data for city relevant data is enabled through enabling and configuring
>>>> # the city database support. The types of data available are:
>>>> # country_code, country_code3, country_name, region, city, postal_code,
>>>> # latitude, longitude, metro_code, area_code and continent_code.
>>>> # time_offset is also available.
>>>> #
>>>> # The concept is that you should be able to add semantics for any
>>>> # IP address that is in the argus record. Support addresses are:
>>>> #
>>>> # saddr, daddr, inode
>>>> #
>>>> # The labels provided will be tagged as:
>>>> # scity, dcity, icity
>>>> #
>>>> # To configure what you want to have placed in the label, use the list of
>>>> # objects, in whatever order you like, as the RALABEL_GEOPIP_CITY string
>>>> # using these keywords:
>>>> # cco - country_code
>>>> # cco3 - country_code3
>>>> # cname - country_name
>>>> # reg - region
>>>> # city - city
>>>> # pcode - postal_code
>>>> # lat - latitude
>>>> # long - longitude
>>>> # metro - metro_code
>>>> # area - area_code
>>>> # cont - continent_code
>>>> # off - GMT time offset
>>>> #
>>>> # Working examples could be:
>>>> # RALABEL_GEOIP_CITY="saddr,daddr:lat/lon"
>>>> # RALABEL_GEOIP_CITY="*:city,region,cname,lat,lon"
>>>> #
>>>> RALABEL_GEOIP_CITY="saddr,daddr,inode:off,cont,lat,lon"
>>>> RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIP.dat"
>>>> RALABEL_GEOIP_V6_CITY_FILE="/usr/local/share/GeoIP/GeoIPv6.dat"
>>>>
>>>>
>>>> On Tue, Jul 23, 2013 at 5:03 PM, Carter Bullard <carter at qosient.com> wrote:
>>>> what are the contents of your ralabel.conf file, and what addresses are reporting 0?
>>>> simply stating that something is not working is very impolite.
>>>>
>>>> Carter
>>>>
>>>> On Jul 23, 2013, at 8:28 AM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:
>>>>
>>>>> I solve the problem by this command, but still the value of sas, dasare zero?????
>>>>>
>>>>> argus -r pcaped.pcap -F /dev/null -w - | ralabel -f ralabel.conf -r - -w - -s +sas +das | rasqlinsert -r - -w mysql://root@localhost/argus/a -s stime ltime dur srcid flgs proto saddr sport dir daddr dport pkts bytes state spkts dpkts sbytes dbytes das sas
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Jul 23, 2013 at 10:59 AM, Mike Iglesias <iglesias at uci.edu> wrote:
>>>>> On 07/22/2013 10:54 PM, Rahimeh Khodadadi wrote:
>>>>> > Thank you very much indeed Matt, but when I run the command gives such a erorr:
>>>>>
>>>>> If you're not using the latest code that Carter put up today, try that and see
>>>>> if it fixes this error. http://qosient.com/argus/dev/
>>>>>
>>>>>
>>>>> --
>>>>> Mike Iglesias Email: iglesias at uci.edu
>>>>> University of California, Irvine phone: 949-824-6926
>>>>> Office of Information Technology FAX: 949-824-2270
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> With Best Regards
>>>>> Rahimeh Khodadadi
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> With Best Regards
>>>> Rahimeh Khodadadi
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> With Best Regards
>>>> Rahimeh Khodadadi
>>>>
>>>
>>>
>>>
>>>
>>> --
>>> With Best Regards
>>> Rahimeh Khodadadi
>>>
>>
>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>
>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130723/e2291e34/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130723/e2291e34/attachment.bin>
More information about the argus
mailing list