From 5dcbbb60c8c13f7eeb0a15bfbf5a5ec98252d84f Mon Sep 17 00:00:00 2001 From: Jelena Mirkovic Date: Thu, 14 Jul 2022 10:42:00 -0700 Subject: [PATCH] Added more folders for B-root anomalies --- .../B_Root_Anomaly-20170306/README.md | 5 +++ .../B_Root_Anomaly-20170425/README.md | 6 ++++ .../B_Root_Anomaly-20190907/README.md | 19 +++++++++++ .../B_Root_Anomaly-20200213/README.md | 5 +++ .../B_Root_Anomaly-20201024/README.md | 5 +++ .../B_Root_Anomaly-20210528/README.md | 33 +++++++++++++++++++ B_Root_Anomalies/README.md | 25 -------------- B_Root_Anomalies/utils.cc | 2 +- 8 files changed, 74 insertions(+), 26 deletions(-) create mode 100644 B_Root_Anomalies/B_Root_Anomaly-20170306/README.md create mode 100644 B_Root_Anomalies/B_Root_Anomaly-20170425/README.md create mode 100644 B_Root_Anomalies/B_Root_Anomaly-20190907/README.md create mode 100644 B_Root_Anomalies/B_Root_Anomaly-20200213/README.md create mode 100644 B_Root_Anomalies/B_Root_Anomaly-20201024/README.md create mode 100644 B_Root_Anomalies/B_Root_Anomaly-20210528/README.md delete mode 100644 B_Root_Anomalies/README.md diff --git a/B_Root_Anomalies/B_Root_Anomaly-20170306/README.md b/B_Root_Anomalies/B_Root_Anomaly-20170306/README.md new file mode 100644 index 0000000..ec6aea2 --- /dev/null +++ b/B_Root_Anomalies/B_Root_Anomaly-20170306/README.md @@ -0,0 +1,5 @@ +# How to run the tagging code + +``` +tag -s 1488775205 -e 1488795600 -r -E lax -q qycl520.com -q calling168.com +``` \ No newline at end of file diff --git a/B_Root_Anomalies/B_Root_Anomaly-20170425/README.md b/B_Root_Anomalies/B_Root_Anomaly-20170425/README.md new file mode 100644 index 0000000..8b1bc46 --- /dev/null +++ b/B_Root_Anomalies/B_Root_Anomaly-20170425/README.md @@ -0,0 +1,6 @@ +# How to run the tagging code + +``` +tag -s 1493114000 -e 1493124900 -r -E lax -q plaza.game981.com + +``` \ No newline at end of file diff --git a/B_Root_Anomalies/B_Root_Anomaly-20190907/README.md b/B_Root_Anomalies/B_Root_Anomaly-20190907/README.md new file mode 100644 index 0000000..1c7684f --- /dev/null +++ b/B_Root_Anomalies/B_Root_Anomaly-20190907/README.md @@ -0,0 +1,19 @@ +# How to run the tagging code + +## For .ari POP + +``` +tag -s 1567838739 -e 1567838772 -r -E ari +``` + +## For .lax POP + +``` +tag -s 1567838738 -e 1567838773 -r -E lax +``` + +## For .mia POP + +``` +tag -s 1567838739 -e 1567838769 -r -E mia +``` \ No newline at end of file diff --git a/B_Root_Anomalies/B_Root_Anomaly-20200213/README.md b/B_Root_Anomalies/B_Root_Anomaly-20200213/README.md new file mode 100644 index 0000000..880b228 --- /dev/null +++ b/B_Root_Anomalies/B_Root_Anomaly-20200213/README.md @@ -0,0 +1,5 @@ +# How to run the tagging code + +``` +tag -s 1581581100 -e 1581581360 -r -E sin -q 8.8.8.8 +``` \ No newline at end of file diff --git a/B_Root_Anomalies/B_Root_Anomaly-20201024/README.md b/B_Root_Anomalies/B_Root_Anomaly-20201024/README.md new file mode 100644 index 0000000..63a976c --- /dev/null +++ b/B_Root_Anomalies/B_Root_Anomaly-20201024/README.md @@ -0,0 +1,5 @@ +# How to run the tagging code + +``` +tag -s 1603507954 -e 1603508345 -r -E ams +``` diff --git a/B_Root_Anomalies/B_Root_Anomaly-20210528/README.md b/B_Root_Anomalies/B_Root_Anomaly-20210528/README.md new file mode 100644 index 0000000..6065f39 --- /dev/null +++ b/B_Root_Anomalies/B_Root_Anomaly-20210528/README.md @@ -0,0 +1,33 @@ +# How to run the tagging code + +## For .ams POP + +``` +tag -s 1622169357 -e 1622169441 -r -E ams +``` + +## For .ari POP + +``` +tag -s 1622169357 -e 1622169422 -r -E ari +``` + +## For .lax POP + +``` +tag -s 1622169357 -e 1622169608 -r -E lax +``` + +## For .iad POP + +``` +tag -s 1622169357 -e 1622169414 -r -E iad +``` + +## For .mia POP + +``` +tag -s 1622169357 -e 1622169487 -r -E mia +``` + + diff --git a/B_Root_Anomalies/README.md b/B_Root_Anomalies/README.md deleted file mode 100644 index 55be0d2..0000000 --- a/B_Root_Anomalies/README.md +++ /dev/null @@ -1,25 +0,0 @@ -# Installation - -You will need `libpcap-dev` installed. Afterwards, running `make` will produce -executables tag and stats. Stats uses libpcap to read relevant data from -pcap files. It only reads packets to port 53 (this can be changed by changing -filter options in stats.cc). - -# Running - -Run `tag` with required parameters on a folder containing B-Root-Anomaly files -to tag attack and legitimate traffic. Tagging only occurs during attack period -(between `starttime` and `endtime` parameters). If queryname parameter is present -queries that are malformed or that contain given queryname as substring are -being tagged as attack. If you specify `-A` option then all other traffic from -sources participating in attack is also going to be tagged as attack (e.g., TCP -SYN and ACK packets). If queryname parameter is not present, then all malformed -queries and all zero-name queries (e.g., queries for NS record for ".") will -also be tagged as attack. - -Output is comprised of `recordID (timestamp-sourceIP-sourceport-destIP-destport)` -and `B` for "benign", `A` for "attack". - -Suggested parameters for tag are given in each subfolder for the specific -attack. We have also provided the output of the tagging process in the same -subfolder (`.tag` files). \ No newline at end of file diff --git a/B_Root_Anomalies/utils.cc b/B_Root_Anomalies/utils.cc index 9e1bf92..9a076c4 100644 --- a/B_Root_Anomalies/utils.cc +++ b/B_Root_Anomalies/utils.cc @@ -235,7 +235,7 @@ void loadfiles(const char* file, string (*process)(char*, double&, int&, int&, o continue; } long myepoch = getepoch(dirs[d].namelist[nf]->d_name); - if (myepoch < starttime - 30) + if (myepoch < starttime - 300) { continue; }