Difference between revisions of "SSH datasets"
From SimpleWiki
Jump to navigationJump to search (Created page with "This page provides access to the materials accompanying the following publication: '''SSH Compromise Detection using NetFlow/IPFIX'''<br /> Rick Hofstede, Luuk Hendriks, Anna...") |
(Started working on dataset description) |
||
Line 23: | Line 23: | ||
Some results derived from these data can be found in [http://www.rickhofstede.nl here]. | Some results derived from these data can be found in [http://www.rickhofstede.nl here]. | ||
+ | |||
+ | === Flow data === | ||
+ | |||
+ | The flow data has been exported by a Cisco Catalyst 6500 with SUP2T supervisor module (PFC4, MSFC 5), and collected using [http://nfdump.sf.net nfcapd]. Neither packet sampling nor flow sampling have been applied. The following post-processing operations have however been performed: | ||
+ | |||
+ | # '''Filtering''': Only SSH data has been selected, i.e., the following [http://nfdump.sf.net nfdump] filter has been used: ''port 22 and proto tcp''. | ||
+ | # '''Anonymization''': | ||
+ | |||
+ | === Log files === | ||
== Scripts == | == Scripts == |
Revision as of 08:14, 3 August 2014
This page provides access to the materials accompanying the following publication:
SSH Compromise Detection using NetFlow/IPFIX
Rick Hofstede, Luuk Hendriks, Anna Sperotto, Aiko Pras. In: ACM Computer Communication Review, 2014.
More information regarding this publication can be found here. Any usage of materials provided on this page should reference this publication.
Contents
Datasets
Name | File Size | Hosts |
---|---|---|
Flow data | x GB | 333 |
Log files | x GB | 333 |
Some results derived from these data can be found in here.
Flow data
The flow data has been exported by a Cisco Catalyst 6500 with SUP2T supervisor module (PFC4, MSFC 5), and collected using nfcapd. Neither packet sampling nor flow sampling have been applied. The following post-processing operations have however been performed:
- Filtering: Only SSH data has been selected, i.e., the following nfdump filter has been used: port 22 and proto tcp.
- Anonymization: