Hello,
I’m reading a bunch of papers on interesting features for machine learning applied on network traffic. For example CSE-CIC (https://www.unb.ca/cic/datasets/ids-2018.html)
My question is: is it possible to add this type of statistic on conn.log?
- average packet size
- minimum packet size
- maximum packet size
- total time between two packets
- mean time between two packets etc.
- etc.
Reading in the documentation I saw this events https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek.html#id-tcp_packet but, as state by the documentation itself, it will lead to very poor performance.
The other code I think it could be relevant is the TCP analyzer: https://github.com/zeek/zeek/blob/1affbad4b7b8c8cf230ded8224c9c364607b67e9/src/analyzer/protocol/tcp/TCP.cc
I’ve never contributed to Zeek before and I don’t know the codebase at all, so do you think Zeek would be capable of generating this type of stats? Is TCP.cc the right place to implement those features? Are there issues I am overlooking?