Changes to documentation and added -A flag to tag

STEELISI · Jun 27, 2022 · 71d6d3b · 71d6d3b
1 parent 7c88683
commit 71d6d3b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 10 deletions.
diff --git a/B_Root_Anomalies/README.md b/B_Root_Anomalies/README.md
@@ -1,25 +1,25 @@
 # Installation
 
-You will need libpcap-dev installed. Afterwards, running `make` will produce
+You will need `libpcap-dev` installed. Afterwards, running `make` will produce
 executables tag and stats. Stats uses libpcap to read relevant data from
 pcap files. It only reads packets to port 53 (this can be changed by changing
 filter options in stats.cc).
 
 # Running
 
-Run tag with required parameters on a folder containing B-Root-Anomaly files
+Run `tag` with required parameters on a folder containing B-Root-Anomaly files
 to tag attack and legitimate traffic. Tagging only occurs during attack period
-(between starttime and endtime parameters). If queryname parameter is present
+(between `starttime` and `endtime` parameters). If queryname parameter is present
 queries that are malformed or that contain given queryname as substring are
-being tagged as attack. If you specify -A option then all other traffic from
+being tagged as attack. If you specify `-A` option then all other traffic from
 sources participating in attack is also going to be tagged as attack (e.g., TCP
 SYN and ACK packets). If queryname parameter is not present, then all malformed
 queries and all zero-name queries (e.g., queries for NS record for ".") will
 also be tagged as attack.
 
-Output is comprised of recordID (timestamp-sourceIP-sourceport-destIP-destport)
-and B for "benign", A for "attack".
+Output is comprised of `recordID (timestamp-sourceIP-sourceport-destIP-destport)`
+and `B` for "benign", `A` for "attack".
 
 Suggested parameters for tag are given in each subfolder for the specific
 attack. We have also provided the output of the tagging process in the same
-subfolder (.tag files).
+subfolder (`.tag` files).
diff --git a/B_Root_Anomalies/tag.cc b/B_Root_Anomalies/tag.cc
@@ -8,6 +8,7 @@
 #include "utils.h"
 
 bool first = true;
+bool attacksources = false;
 long int starttime = 0;
 long int endtime = 0;
 long int lasttime = 0;
@@ -74,11 +75,15 @@ int process(char* buffer, double &outtime, int& outlen, int& outttl)
 	{
 	  isattack = true;	  
 	}
-    if (attackers.find(ip) != attackers.end())
+    if (attackers.find(ip) != attackers.end() && attacksources)
       {
 	isattack = true;
       }
-    cout<<recordID<<" "<<isattack<<endl;
+    cout<<recordID<<" ";
+    if (isattack)
+      cout<<"A\n";
+    else
+      cout<<"B\n";
     return 0;
 }
 
@@ -93,6 +98,7 @@ void printHelp()
   printf ("-e <epoch>                     End at this epoch time in UTC\n");
   printf ("-E <ext>                       Only process files with this extension in the name (e.g., lax, mia)\n");
   printf ("-a <file>                      Optionally read attack IPs from this file\n");
+  printf ("-A                             Tag all traffic from attack IPs as attack\n");
   printf ("-q <query>                     This is a substring occuring in attack queries, you can repeat this arg spec multiple times\n");
 }
 
@@ -113,7 +119,7 @@ int main(int argc, char** argv)
   for (int i = 0; i<argc; i++)
     cout<<argv[i]<<" ";
   cout<<endl;
-  while ((c = getopt (argc, argv, "hs:e:E:a:q:r:")) != '?')
+  while ((c = getopt (argc, argv, "hs:e:E:a:q:r:A")) != '?')
     {
       if ((c == 255) || (c == -1))
 	break;
@@ -127,6 +133,9 @@ int main(int argc, char** argv)
 	case 'r':
 	  readfolder = optarg;
 	  break;
+	case 'A':
+	  attacksources = true;
+	  break;
 	case 'q':
 	  queries.insert(optarg);
 	  break;