Data

Tools

Indexes

Applications

Experiments

Open Source Science

idps-comparison-tool-scripts

Contains the scripts needed to extract the information used by our IDPS comparison tool

https://github.com/stratosphereips/idps-comparison-tool-scripts

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (8.2%) to scientific vocabulary
Last synced: 10 months ago · JSON representation ·

Repository

Contains the scripts needed to extract the information used by our IDPS comparison tool

Basic Info
  • Host: GitHub
  • Owner: stratosphereips
  • License: gpl-2.0
  • Language: Python
  • Default Branch: main
  • Size: 27.1 MB
Statistics
  • Stars: 1
  • Watchers: 3
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Created over 2 years ago · Last pushed over 1 year ago
Metadata Files
Readme Contributing License Code of conduct Citation Security

README.md

Features

This repo contains the following scripts in scripts/ dir consider this branch a different tool. * a script for extracting the accumulated threat levels from slips alerts.json * a script for extracting the ground truth labels for each time window given the conn.log.labeled for a given IP * a script to determine the best threshold for sips based on the extracted threat levels and ground truth

Installation

pip3 install -r requirements.txt

Usage

python3 -m pip install -r requirements.txt

command for generating all zeek files in the dataset/

zeek -C -r <pcap> tcp_inactivity_timeout=60mins tcp_attempt_delay=1min

command for labeling conn.log files

python3 netflowlabeler.py -c labels.config -f /path/to/generated/conn.log

Note that the conn.log given to netflowlabeler should be tab-separated, not json. netflow labeler will drop the conn.log.labeled in the same directory of the given conn.log

(optional) To label the rest of the Zeek files using an already labeled conn.log file (conn.log.labeled)

zeek-files-labeler.py -l conn.log.labeled -f folder-with-zeek-log-files

command for extracting max accumulated threat level for all timewindows from an alert.json

python3 -m scripts.max_accumulated_score_extractor_for_slips alerts.json <host_ip> <used_slips_threshold>

command for getting the best slips threshold given the extracted ground truth labels and max accumulated scores

Note: this script assumes the correct ground truth labels are in scripts/extractedgttwlabels.py and the correct max accumulated scores of slips are in scripts/extractedlevels.py

Note: This script completely discards flows and timewindows with any label other than benign or malicious, e.g. background, unknown label, no label etc.

  • to print the metrics to cli python3 -m scripts.slips_metrics_getter

  • to plot the metrics python3 -m scripts.slips_metrics_getter -p

Note: To print and plot the metrics, scripts/extractedscores/extractedlevels.py must t be updated using the maxaccumulatedscoreextractorfor_slips.py script

command for extracting ground truth labels from a conn.log.labeled file

note: we only extract the labels per timewindow per ip

python3 main.py -gtf conn.log.labeled -i <host_ip>

  • To extract the ground truth timewindow labels

    python3 -m scripts.groundtruthtimewindowlabelsextractor -gtf conn.log.labeled -i 147.32.83.234

About

This repo was developed at the Stratosphere Laboratory at the Czech Technical University in Prague.

Owner

  • Name: Stratosphere IPS
  • Login: stratosphereips
  • Kind: organization
  • Location: Prague

Cybersecurity Research Laboratory at the Czech Technical University in Prague. Creators of Slips, a free software machine learning-based behavioral IDS/IPS.

Citation (CITATION.cff) 

cff-version: 1.2.0
message: "If you use this software, please cite it as below."
authors:
- family-names: "YOUR_NAME_HERE"
  given-names: "YOUR_NAME_HERE"
  email: youremailhere
  affiliation: >-
      Stratosphere Laboratory, AIC, FEL, Czech
      Technical University in Prague
  orcid: "https://orcid.org/0000-0000-0000-0000"
- family-names: "Lisa"
  given-names: "Mona"
  email: youremailhere
  affiliation: >-
      Stratosphere Laboratory, AIC, FEL, Czech
      Technical University in Prague
  orcid: "https://orcid.org/0000-0000-0000-0000"
title: "repository-template"
version: 1.0.0
doi: 10.5281/zenodo.1234
date-released: 2022-07-13
url: "https://github.com/stratosphereips/repository-template"

GitHub Events

Total
  • Push event: 9
  • Create event: 9
Last Year
  • Push event: 9
  • Create event: 9

Dependencies

.github/workflows/autotag.yml actions
  • actions/checkout v2 composite
  • anothrNick/github-tag-action 1.36.0 composite
docker/suricata/Dockerfile docker
  • ubuntu 20.04 build
requirements.txt pypi
  • argparse *
  • ipaddress *
  • pyyaml *
  • seaborn *
  • termcolor *