[Bro] Meaning of Various Acronyms in State Field of Packet
Lionel Levy
lionellevy25 at gmail.com
Thu Sep 13 09:17:42 PDT 2018
Hi Justin,
Thanks for the prompt response. I was looking at the UNSW-NB15 Network
Data Set within a journal article titled "UNSW-NB15: a comprehensive data
set for network intrusion detection systems (UNSW-NB15 network data set)."
According to the paper, there are some matched features for both Argus and
Bro-IDS tools. One of these features is called "state", and is described
as the state and its dependent protocol, e.g. ACC, CLO. Maybe the
authors made a mistake in the paper and this feature is only generated by
Argus. Or maybe I am misinterpreting what the authors meant to convey.
Regards,
Lionel
On Thu, Sep 13, 2018 at 11:25 AM Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Sep 13, 2018, at 9:34 AM, Lionel Levy <lionellevy25 at gmail.com> wrote:
> >
> > Hi All,
> >
> > I am looking at a dataset of features that was generated using Bro-IDS.
> Can someone please explain the meaning of the various acronyms that could
> be sent in a state field? I can guess some of them.
> >
> > CON .... Connected?
> > FIN ...... Finished?
> > TIM ....... ??
> > ECO ....... ??
> > INT ........ Interrupted?
> > RST ........ Reset?
> > ECR ......... Echo Reply?
> > URP ....... ??
> > CLO ........ ??
> > STA ........ ??
> > ACC ......... ??
>
> Are you sure those came from Bro? Bro doesn't have a state field.. it
> does have a conn_state field, however
> the possible values of that field are completely different from what you
> listed.
>
>
> A google search for "CON FIN TIM ECO INT RST ECR URP CLO STA ACC" finds
> http://nsmwiki.org/Argus
> which points to your data set being generated from Argus, not Bro.
>
> —
> Justin Azoff
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180913/c09ed0f6/attachment.html
More information about the Bro
mailing list