[Bro] Meaning of Various Acronyms in State Field of Packet
Azoff, Justin S
jazoff at illinois.edu
Thu Sep 13 08:15:54 PDT 2018
> On Sep 13, 2018, at 9:34 AM, Lionel Levy <lionellevy25 at gmail.com> wrote:
>
> Hi All,
>
> I am looking at a dataset of features that was generated using Bro-IDS. Can someone please explain the meaning of the various acronyms that could be sent in a state field? I can guess some of them.
>
> CON .... Connected?
> FIN ...... Finished?
> TIM ....... ??
> ECO ....... ??
> INT ........ Interrupted?
> RST ........ Reset?
> ECR ......... Echo Reply?
> URP ....... ??
> CLO ........ ??
> STA ........ ??
> ACC ......... ??
Are you sure those came from Bro? Bro doesn't have a state field.. it does have a conn_state field, however
the possible values of that field are completely different from what you listed.
A google search for "CON FIN TIM ECO INT RST ECR URP CLO STA ACC" finds http://nsmwiki.org/Argus
which points to your data set being generated from Argus, not Bro.
—
Justin Azoff
More information about the Bro
mailing list