rasql sco dco problem
David Edelman
dedelman at iname.com
Thu May 15 17:48:55 EDT 2014
Carter,
This appears to be a problem for some time, not specific to 3.0.7.26 but you
might want to look at it. The data were written with 3.0.7.26 but I can make
it happen with previous versions as well. Using matrix as a component of the
aggregation may change the order of the source and destination of the output
flow record, but it doesn't seem to reorder the sco and dco components to
reflect that. I can understand if it doesn't modify the labels but since I
can filter on sco and dco it would be nice to have them move along with the
addresses.
123.123.x is allocated to China, 160.125.129.107 is redacted but the
original was allocated to the US and I preserved the relative magnitude of
the two addresses to maintain the ordering in the matrix value.
--Dave
rasqlinsert -M time 1d -M cache -S localhost:561 -w
mysql://argus@localhost/argus/matrix_%Y_%m_%d -m srcid matrix proto -s
ltime dur srcid saddr daddr bytes proto sco dco -d
rasql -t -5d -r mysql:argus/matrix_%Y_%m_%d -M time 1d -M sql="saddr like
'123.123.%'" -w - | ra
StartTime Flgs Proto TcpOpt
SrcAddr Sport sCo Dir dCo DstAddr Dport
State Trans TotPkts TotBytes
Thu 2014-05-15 21:14:54.611 Ne tcp
160.125.129.107 CN -> US 123.123.123.123
REQ 1 3 144
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6283 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140515/3beb3d5c/attachment.bin>
More information about the argus
mailing list