|
| Cat. | Not. | Name | Type | Statistics | Description |
| Min | Max |
|
| Basic |
| | | Duration | Num. | 0 | 58329 | Connection length in seconds |
| | | pro_type | Cat. | — | — | Prototype type which can be tcp, udp, or icmp |
| | | srv | Cat. | — | — | Service on the destination; there are 67 potential values such as http, ftp, telnet, and domain |
| | | Flag | Cat. | — | — | Normal or error status of the connection; there are 11 potential values, for example, rej, sh |
| | | src_bytes | Num. | 0 | 693 M | Num. of bytes from the source to the destination |
| | | dst_bytes | Num. | 0 | 52 M | Num. of bytes from the destination to the source |
| | | Land | Binary | — | — | Whether conn. from/to same host/port or not |
| | | wrng_frg | Num. | 0 | 3 | Number of wrong fragments |
| | | urg | Num. | 0 | 3 | Number of urgent packets |
|
| Content |
| | | Hot | Num. | 0 | 30 | Number of hot indicators |
| | | n_failed_lgns | Num. | 0 | 5 | Number of failed login attempts |
| | | logged_in | Binary | — | — | Whether successfully logged in or not |
| | | n_cmprmsd | Num. | 0 | 884 | Number of compromised conditions |
| | | rt_shell | Binary | — | — | Whether root shell is obtained or not |
| | | su_attmptd | Num. | 0 | 2 | Number of “su root” commands attempted |
| | | n_rt | Num. | 0 | 993 | Number of accesses to the root |
| | | n_file_crte | Num. | 0 | 28 | Number of create-file operations |
| | | n_shells | Num. | 0 | 2 | Number of shell prompts |
| | | n_access_files | Num. | 0 | 8 | Number of operations on access control files |
| | | n_obnd_cmds | Num. | 0 | 0 | Number of outbound commands in an ftp session |
| | | is_hot_lgn | Binary | — | — | Whether login belongs to hot list or not |
| | | is_guest_lgn | Binary | — | — | Whether login is guest or not |
|
| t_traffic (using a window of 2 seconds) |
| | | cnt | Num. | 0 | 511 | Number of same-host connections as the current connection in the past 2 seconds |
| | | srv_cnt | Num. | 0 | 511 | Num. of same-host conn. to the same service as the current connection in the past 2 seconds |
| | | syn_err | Num. | 0 | 1 | Percentage of same-host conn. with syn errors |
| | | srv_syn_err | Num. | 0 | 1 | Percentage of same-service conn. with syn errors |
| | | rej_err | Num. | 0 | 1 | Percentage of same-host conn. with rej errors |
| | | srv_rej_err | Num. | 0 | 1 | Percentage of same-service conn. with rej errors |
| | | sm_srv_r | Num. | 0 | 1 | Percentage of same-host conn. to same service |
| | | dff_srv_r | Num. | 0 | 1 | Percentage of same-host conn. to different services |
| | | srv_dff_hst_r | Num. | 0 | 1 | Percentage of same-service conn. to different hosts |
|
| h_traffic (using a window of 100 connections) |
| | | h_cnt | Num. | 0 | 255 | Number of same-host connections as the current connection in the past 100 connections |
| | | h_srv_cnt | Num. | 0 | 255 | Num. of same-host conn. to the same service as the current connection in the past 100 connections |
| | | h_sm_srv_r | Num. | 0 | 1 | Percentage of same-host conn. to same service |
| | | h_dff_srv_r | Num. | 0 | 1 | Percentage of same-host conn. to different services |
| | | h_sm_sr_prt_r | Num. | 0 | 1 | Percentage of same-service conn. to different hosts |
| | | h_srv_dff_hst_r | Num. | 0 | 1 | Percentage of same-service conn. to different hosts |
| | | h_syn_err | Num. | 0 | 1 | Percentage of same-host conn. with syn errors |
| | | h_srv_syn_err | Num. | 0 | 1 | Percentage of same-service conn. with syn errors |
| | | h_rej_err | Num. | 0 | 1 | Percentage of same-host conn. with rej errors |
| | | h_srv_rej_err | Num. | 0 | 1 | Percentage of same-service conn. with rej errors |
|
