[Bro] Meaning of Various Acronyms in State Field of Packet
Azoff, Justin S
jazoff at illinois.edu
Thu Sep 13 10:31:38 PDT 2018
> On Sep 13, 2018, at 12:17 PM, Lionel Levy <lionellevy25 at gmail.com> wrote:
>
> Hi Justin,
>
> Thanks for the prompt response. I was looking at the UNSW-NB15 Network Data Set within a journal article titled "UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)."
>
> According to the paper, there are some matched features for both Argus and Bro-IDS tools. One of these features is called "state", and is described as the state and its dependent protocol, e.g. ACC, CLO. Maybe the authors made a mistake in the paper and this feature is only generated by Argus. Or maybe I am misinterpreting what the authors meant to convey.
>
> Regards,
>
> Lionel
http://manpages.ubuntu.com/manpages/trusty/man1/ra.1.html describes what all those fields mean..
Bro does have a similar feature, but the data is represented differently and those specific state abbreviations are
an argus thing.
In bro logs, the different ICMP codes are logged this way:
##! host/port to a destination host/port). Further, ICMP "ports" are to
##! be interpreted as the source port meaning the ICMP message type and
##! the destination port being the ICMP message code.
so while argus has URF as a state meaning 'Unreachable need fragmentation' in bro that would just be logged as
type 3 code 4 in bro under the port columns.
For some of the other fields the information is either in the conn_state or history fields. The documentation for those is
here https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info
in bro ACC would show up as an h or H in history and a conn_state of SF, S1,S2, or S3 (i think?)
CLO would show up as f or F in history and a conn_sate of SF
—
Justin Azoff
More information about the Bro
mailing list