From 71d6d3b3922c6679c5737ff8cdca7619205bb32a Mon Sep 17 00:00:00 2001 From: Jelena Mirkovic Date: Mon, 27 Jun 2022 11:22:18 -0700 Subject: [PATCH] Changes to documentation and added -A flag to tag --- B_Root_Anomalies/README.md | 14 +++++++------- B_Root_Anomalies/tag.cc | 15 ++++++++++++--- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/B_Root_Anomalies/README.md b/B_Root_Anomalies/README.md index eec7222..55be0d2 100644 --- a/B_Root_Anomalies/README.md +++ b/B_Root_Anomalies/README.md @@ -1,25 +1,25 @@ # Installation -You will need libpcap-dev installed. Afterwards, running `make` will produce +You will need `libpcap-dev` installed. Afterwards, running `make` will produce executables tag and stats. Stats uses libpcap to read relevant data from pcap files. It only reads packets to port 53 (this can be changed by changing filter options in stats.cc). # Running -Run tag with required parameters on a folder containing B-Root-Anomaly files +Run `tag` with required parameters on a folder containing B-Root-Anomaly files to tag attack and legitimate traffic. Tagging only occurs during attack period -(between starttime and endtime parameters). If queryname parameter is present +(between `starttime` and `endtime` parameters). If queryname parameter is present queries that are malformed or that contain given queryname as substring are -being tagged as attack. If you specify -A option then all other traffic from +being tagged as attack. If you specify `-A` option then all other traffic from sources participating in attack is also going to be tagged as attack (e.g., TCP SYN and ACK packets). If queryname parameter is not present, then all malformed queries and all zero-name queries (e.g., queries for NS record for ".") will also be tagged as attack. -Output is comprised of recordID (timestamp-sourceIP-sourceport-destIP-destport) -and B for "benign", A for "attack". +Output is comprised of `recordID (timestamp-sourceIP-sourceport-destIP-destport)` +and `B` for "benign", `A` for "attack". Suggested parameters for tag are given in each subfolder for the specific attack. We have also provided the output of the tagging process in the same -subfolder (.tag files). \ No newline at end of file +subfolder (`.tag` files). \ No newline at end of file diff --git a/B_Root_Anomalies/tag.cc b/B_Root_Anomalies/tag.cc index 268b898..ee3e20d 100644 --- a/B_Root_Anomalies/tag.cc +++ b/B_Root_Anomalies/tag.cc @@ -8,6 +8,7 @@ #include "utils.h" bool first = true; +bool attacksources = false; long int starttime = 0; long int endtime = 0; long int lasttime = 0; @@ -74,11 +75,15 @@ int process(char* buffer, double &outtime, int& outlen, int& outttl) { isattack = true; } - if (attackers.find(ip) != attackers.end()) + if (attackers.find(ip) != attackers.end() && attacksources) { isattack = true; } - cout< End at this epoch time in UTC\n"); printf ("-E Only process files with this extension in the name (e.g., lax, mia)\n"); printf ("-a Optionally read attack IPs from this file\n"); + printf ("-A Tag all traffic from attack IPs as attack\n"); printf ("-q This is a substring occuring in attack queries, you can repeat this arg spec multiple times\n"); } @@ -113,7 +119,7 @@ int main(int argc, char** argv) for (int i = 0; i