App Byte Ratio question...

Carter Bullard carter at
Fri Sep 26 17:33:48 EDT 2014

Hey Craig,
Well the idea is to provide sensitivity for the low and slow exfiltration,
which makes you want to have load insensitivity.   Adding load back
in really just squelches any signal on the low end.

But rahisto.1 can give you a frequency distribution based on
total bytes, and each output has its own PCR, so you can see all
of the values all at once if that gets to your interest.

   rahisto -H bytes 50:0-1M -r flows.of.interest -s pcr

Because argus is generating status records to give you the timeliness
you need for making near realtime awareness possible, the PCR
comparisons can be based on status records, not aggregate flow.   Once
you get the PCR ranges per port or per machine, you can do the
matching to find anomalies in the streams, if you wanted to know
something sooner than later.


> On Sep 26, 2014, at 4:44 PM, Craig Merchant <craig.merchant at> wrote:
> Hey, Carter…
> I’ve been playing around with the app byte ratio in our environment.  I’ve had some success feeding it to a machine learning application (Prelert).
> One thing that occurred to me was if you saw any value in using a weighted version of ABR, such as ABR * total bytes in the flow or ABR * duration of the flow.  I’m wondering if lots of small flows or short flows might distort the average ABR for a given host/protocol/port when compared to a long running or high volume flow.
> Just curious what your thoughts are on the matter…  I’m not a quant…
> C

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the argus mailing list