Meaning of Various Acronyms in State Field of Packet

Hi All,

I am looking at a dataset of features that was generated using Bro-IDS. Can someone please explain the meaning of the various acronyms that could be sent in a state field? I can guess some of them.

CON … Connected?
FIN … Finished?
TIM … ??
ECO … ??
INT … Interrupted?
RST … Reset?
ECR … Echo Reply?
URP … ??
CLO … ??
STA … ??

ACC … ??

Thanks much,

Lionel

Are you sure those came from Bro? Bro doesn't have a state field.. it does have a conn_state field, however
the possible values of that field are completely different from what you listed.

A google search for "CON FIN TIM ECO INT RST ECR URP CLO STA ACC" finds http://nsmwiki.org/Argus
which points to your data set being generated from Argus, not Bro.

Hi Justin,

Thanks for the prompt response. I was looking at the UNSW-NB15 Network Data Set within a journal article titled “UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set).”

According to the paper, there are some matched features for both Argus and Bro-IDS tools. One of these features is called “state”, and is described as the state and its dependent protocol, e.g. ACC, CLO. Maybe the authors made a mistake in the paper and this feature is only generated by Argus. Or maybe I am misinterpreting what the authors meant to convey.

Regards,

Lionel

http://manpages.ubuntu.com/manpages/trusty/man1/ra.1.html describes what all those fields mean..

Bro does have a similar feature, but the data is represented differently and those specific state abbreviations are
an argus thing.

In bro logs, the different ICMP codes are logged this way:

##! host/port to a destination host/port). Further, ICMP "ports" are to
##! be interpreted as the source port meaning the ICMP message type and
##! the destination port being the ICMP message code.

so while argus has URF as a state meaning 'Unreachable need fragmentation' in bro that would just be logged as
type 3 code 4 in bro under the port columns.

For some of the other fields the information is either in the conn_state or history fields. The documentation for those is
here https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info

in bro ACC would show up as an h or H in history and a conn_state of SF, S1,S2, or S3 (i think?)

CLO would show up as f or F in history and a conn_sate of SF

Awesome, thanks!