I am looking at a dataset of features that was generated using Bro-IDS. Can someone please explain the meaning of the various acronyms that could be sent in a state field? I can guess some of them.
CON … Connected?
FIN … Finished?
TIM … ??
ECO … ??
INT … Interrupted?
RST … Reset?
ECR … Echo Reply?
URP … ??
CLO … ??
STA … ??
ACC … ??
Are you sure those came from Bro? Bro doesn't have a state field.. it does have a conn_state field, however
the possible values of that field are completely different from what you listed.
A google search for "CON FIN TIM ECO INT RST ECR URP CLO STA ACC" finds http://nsmwiki.org/Argus
which points to your data set being generated from Argus, not Bro.
Thanks for the prompt response. I was looking at the UNSW-NB15 Network Data Set within a journal article titled “UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set).”
According to the paper, there are some matched features for both Argus and Bro-IDS tools. One of these features is called “state”, and is described as the state and its dependent protocol, e.g. ACC, CLO. Maybe the authors made a mistake in the paper and this feature is only generated by Argus. Or maybe I am misinterpreting what the authors meant to convey.
http://manpages.ubuntu.com/manpages/trusty/man1/ra.1.html describes what all those fields mean..
Bro does have a similar feature, but the data is represented differently and those specific state abbreviations are
an argus thing.
In bro logs, the different ICMP codes are logged this way:
##! host/port to a destination host/port). Further, ICMP "ports" are to
##! be interpreted as the source port meaning the ICMP message type and
##! the destination port being the ICMP message code.
so while argus has URF as a state meaning 'Unreachable need fragmentation' in bro that would just be logged as
type 3 code 4 in bro under the port columns.
For some of the other fields the information is either in the conn_state or history fields. The documentation for those is
in bro ACC would show up as an h or H in history and a conn_state of SF, S1,S2, or S3 (i think?)
CLO would show up as f or F in history and a conn_sate of SF