Menu
▾
▴
Tree [87afda] master / History
| File | Date | Author | Commit |
|---|---|---|---|
| README | 2013-08-08 |
eldraco
|
[3c755e] README |
| labels.config | 2013-08-13 |
eldraco
|
[0da4cb] New config label format |
| netflowlabeler.py | 2013-08-13 |
eldraco
|
[87afda] Changes, but it is broken |
| nfcapd.sample1 | 2013-07-18 |
eldraco
|
[2c459a] Add two sample netflow files to try |
| nfcapd.sample2 | 2013-07-18 |
eldraco
|
[2c459a] Add two sample netflow files to try |
Read Me
Netflowlabeler
--------------
Netflowlabeler is a python tool to add labels to netflow text files.
If you have a netflow text file and you want to add labels to it, you can add the lables and conditions to a configuration file and use this tool to assign them.
Configuration File
------------------
The conf file syntax is like this:
Background:
- srcIP=all
Normal:
- Proto=ARP
- Proto=IGMP
Botnet-DGA:
- Proto=UDP & dstPort=53
- Proto=UDP & srcPort=53
Botnet-CC:
- srcIP=10.0.0.151 & Proto=TCP
- dstIP=10.0.0.151 & Proto=TCP
The position is the priority of the rule. First we check the first rule and if it matches then we assign that label. Then we check the second rule, etc.
All the rules below a label are ORed. You can use & to AND different rules.
These are the possible fields that you can use in a configuration file to create the rules used for labeling.
Date , start , Duration , Proto , srcIP , srcPort , dstIP , dstPort , Flags , Tos , Packets , Bytes , Flows
The program can understand automatically the netflow files created by Argus and nfdump.
For Argus, you should create the netflow file with the ra tool with the following configuration
(/etc/rc.conf)
RA_PRINT_LABELS=0
RA_FIELD_DELIMITER='\t'
RA_USEC_PRECISION=6
RA_PRINT_NAMES=0
RA_TIME_FORMAT="%Y/%m/%d %T.%f"
RA_FIELD_SPECIFIER= stime dur proto:10 saddr:27 sport dir daddr:27 dport state stos dtos pkts bytes
Also you may run ra with -n so you can see the port numbers.
Any column after the last netflow official column is ignored (for example, if you had a label)
