[Bro] another kdd cup question
Oğuz Yarımtepe
oguzyarimtepe at gmail.com
Fri Oct 4 11:18:59 PDT 2013
I was investigating to create KDD Cup 99 attributes on a live traffic. I
encountered with some papers telling that they reproduce the same attribute
values by using Bro-IDS. I am not sure whether all the values can be
gathered from a live traffic, so i am asking whether it is possible to
calculate the below attributes from a live GBit traffic.
Num.
Name
Type
Description
1
duration
integer
duration of the connection
2
protocol_type
nominal
protocol type of the connection: TCP, UDP and ICMP
3
service
nominal
http, ftp, smtp, telnet... and other (if not much used service)
4
flag
nominal
connection status. The possible status are this: SF, S0, S1, S2, S3,OTH,
REJ, RSTO, RSTOS0, SH, RSTRH, SHR
5
src_bytes
integer
bytes sent in one connection
6
dst_bytes
integer
bytes received in one connection
7
land
binary
if source and destination IP addresses and port numbers are equal then this
variable takes value 1 else 0
8
wrong_fragment
integer
sum of bad checksum packets in a connection
9
urgent
integer
sum of urgent packets in a connections. Urgent packets are packet with the
urgent bit activated
Here i am not sure about the wrong_fragment and urgent packet number part.
Will be great if someone enlightens me.
Num.
Name
Type
Description
10
hot
integer
sum of hot actions in a connection such as: entering a systetory,
creating programs and executing programs
11
num_failed_logins
integer
number of incorrect logins in a connection
12
logged_in
integer
if the login is correct then 1 else 0
13
num_compromised
integer
sum of times appearance “not found” error in a connection
14
root_shell
integer
if the root gets the shell then 1 else 0
15
su_attempted
integer
if the su command has been used then 1 else 0
16
num_root
integer
sum of operations performed as root in a connection
17
num_file_creations
integer
sum of file creations in a connection
18
num_shells
integer
number of logins of normal users
19
num_access_files
integer
sum of operations in control files in a connection
20
num_outbound_cmds
integer
sum of outbound commands in a ftp session
21
is_hot_login
integer
if the user is accessing as root or adm
22
is_guest_login
integer
if the user is accessing as guest, anonymous or visitor
It seems these attributes require payload analysis. I am not sure whether
Bro is able to detect some of them by default rules or whether i will need
to write some custom ones.
Num.
Name
Type
Description
23
count
integer
sum of connections to the same destination IP address
24
srv_count
integer
sum of connections to the same destination port number
25
serror_rate
real
the percentage of connections that have activated the flag (4) s0, s1, s2
or s3, among the connections aggregated in count (23)
26
srv_serror_rate
real
the percentage of connections that have activated the flag (4) s0, s1, s2
or s3, among the connections aggregated in srv_count (24)
27
rerror_rate
real
the percentage of connections that have activated the flag (4) REJ,
among the connections aggregated in count (23)
28
srv_error_rate
real
the percentage of connections that have activated the flag (4) REJ,
among the connections aggregated in srv_count (24)
29
same_srv_rate
real
the percentage of connections that were to the same service, among
the connections aggregated in count (23)
30
diff_srv_rate
real
the percentage of connections that were to different services, among
the connections aggregated in count (23)
31
srv_diff_host_rate
real
the percentage of connections that were to different destination ma-
chines among the connections aggregated in srv_count (24)
These are totally ambiguous to me. I think i will need extra issue to
handle som results. But whether to wait some people to guide me first.
So if bro-ids is enough to calculate above attributes from a live traffic
somehow, whether either saving some attributes to DB and then reprocessing
them or any guidance will be appreciated. What i am trying is to recreate
these attributes for a real traffic and test my algorithm with the up to
date dataset.
--
Oğuz Yarımtepe
http://about.me/oguzy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131004/23aabff3/attachment.html
More information about the Bro
mailing list