[ARGUS] Questions about rabins
Kolja Straub via Argus-info
argus-info at lists.andrew.cmu.edu
Thu Jan 14 03:26:34 EST 2021
Hi all,
First of all a happy new year.
My current goal is to aggregate certain netflows that have the same source IP, destination IP, destination port, protocol and happen in a 10 minute time intervall. Therefore I used rabins to aggregate the flows.
The command I used is "rabins -r input.biargus -M time 10m hard -m saddr daddr dport proto -P stime -F ra.conf > output.netflow".
However, I have some questions regarding rabins and the features it can generate and hoped if you could help me:
1. Is it possible to get the amount of different source ports used? After aggregating the flows with different source ports, the resulting source port of the bin was only "0". However a list of the used ports or the number of different ports that were used would be helpful. I observed such a behavior with the Label feature. After applying rabins, flows with different Labels were aggregated together and the resulted bin still had all labels as a comma separated list.
2. Is it possible to get a list of the time differences of the start times of two consecutive flows as a feature of the bin. I only know about the packet interarrival time. However, it would be nice to be able to calculate the absolute difference between two consecutive flows to analyze the periodicity.
3. As I mentioned in question 1, when using rabins, the labels of the flows are aggregated to a comma separated list. Since I standardly used "," as the seperator, this led to an error while reading the file as csv with pandas. Currently I am using another separator or is it possible to wrap the values of the columns in quotation marks so that parsing could still work?
4. Lastly, I am not sure if I understand the direction feature correctly. There are directions like "?>", "<?" and "<?>" additionally to "->", "<-" and "<->". Do the directions with "?" indicate that the origin of the flow is not entirely sure or does it have another meaning.
Thank you in advance for your effort.
Best regards,
Kolja
Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20210114/9430e646/attachment.html>
More information about the argus
mailing list