[nsp-sec] Pre-classified netflow samples

Yonglin ZHOU yonglin.zhou at gmail.com
Tue Sep 2 20:36:01 EDT 2008 

As Donald said  it is sensitive to provide raw netflow data.
And even if someone could, still it is hard to give an exact identity
of each flow of good or some kind of attack. Some attacks can be easy
detect by port and many are not (like trojans).
If you are mainly focus on data mining, not particularly on attacks,
maybe you can get some netflow data from your own network and aim at
some common traffics like http, p2p, ... etc. Even for p2p
applications, there are differeces between each other.

Another possible way is to work with some honeynet research teams. At
the honeywall, you can fetch all the traffic logs towards the honeypot
which are supposed to be kind of attacking. You can easily convert the
logs into netflow 5. On the other hand, the honeynet system can
identify some attacks which could be used as tags to the flow. Again,
as donald said, you need some extra works.

My two cents.

Yonglin.

On Wed, Sep 3, 2008 at 4:47 AM, Sebastian Abt <sa at rh-tec.de> wrote:
> ----------- nsp-security Confidential --------
>
> * Smith, Donald wrote:
>> Flow-dscan from flow tools provides some ddos and scanning recognition
>> abilities.
>>
>> I have written some flow-nfilter and flow-filter acl's but most of
>> those have been fairly specific with host and port numbers based on
>> reports here or on another list.
>
> Thanks, this is an idea I haven't thought about yet..  However, I'm more
> looking for data that has been verified to belonging to a specific
> attack and classified accordingly, which can then be used as a training
> and evaluation dataset.
>
>
> sebastian
>
> --
> fon: +49 69 95411 15  e-mail: sa at rh-tec.de
> fax: +49 69 95411 45  mobile: +49 69 95411 55
> rh-tec Business GmbH  http://www.rh-tec.de/
> Ringstrasse 36        32584 Loehne
> Geschaeftsfuehrer:    Gerhard Roehrmann
> Registergericht:      AG Bad Oeynhausen, HRB 8112
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>



-- 
----One Internet, One Beijing Olympic Games---
Contacts of CNCERT/CC:
Fix line: + 86 10 8299 1000, +86 10 8299 0999,
Cell phone: +86 139 1019 6910
Fax: +86 10 8299 0399 Email: cncert at cert.org.cn
PGP Server: keyserver.cert.org.cn :389

Contatcts of Yonglin ZHOU:
Fix line: + 86 10 8299 0355 Fax: +86 10 8299 0399
Email: zyl at cert.org.cn, yonglin.zhou at gmail.com
-------------------------------------------------------------------------

More information about the nsp-security mailing list