https://github.com/cesnet/nemea

System for network traffic analysis and anomaly detection.
https://github.com/cesnet/nemea

liberouter nemea

Last synced: 8 months ago
JSON representation

System for network traffic analysis and anomaly detection.

• Host: GitHub
• URL: https://github.com/cesnet/nemea
• Owner: CESNET
• License: other
• Created: 2015-08-29T17:53:50.000Z (over 10 years ago)
• Default Branch: master
• Last Pushed: 2024-10-26T18:41:01.000Z (over 1 year ago)
• Last Synced: 2024-10-26T20:41:30.683Z (over 1 year ago)
• Topics: liberouter, nemea
• Language: Shell
• Size: 22.6 MB
• Stars: 86
• Watchers: 26
• Forks: 22
• Open Issues: 3
• Metadata Files:
  • Readme: README-on_biflow.md
  • Contributing: CONTRIBUTING.md
  • License: COPYING

Awesome Lists containing this project

README

          
This documents briefly explains "biflow" representation and how it is used in

[ipfixprobe](https://github.com/CESNET/ipfixprobe) and how it should be used in

NEMEA. Biflow is an abbreviation of bidirectional flow (record) which

represents both directions of one connection between two devices in form of one

"message"/flow record.

Interpretation of UniRec record (how to work with UniRec template and UniRec

message):

1. If the UniRec template contains both fields: `BYTES_REV` and `PACKETS_REV`,

   it is considered as biflow template. Otherwise, it is not (i.e., it is

   probably unidirectional flow record). Note: ipfixprobe ALWAYS export both

   fields for biflow.

2. If the UniRec template is not biflow (due to missing fields in 1.), the

   UniRec messages should be paired/aggregated "manually" to get biflow.

3. If a biflow message contains `PACKETS_REV == 0`, it is still a biflow

   record, however, it contains only one direction of the communication. This

   means one of the cases:

    1. the communication was really unidirectional (e.g., broadcast messages, UDP streams),

    2. the communication was bidirectional, but the flow exporter observed only

       one direction of it,

    3. the communication was bidirectional, but the flow exporter was not able

       to pair/aggregated both directions.

3.2 can happen in case of assymetric routing, where packets of different

directions might be routed via different links.

3.3 can happen in case of splitting flow records due to timeouts or limited

flow cache.

In any case, it is highly recommended to do pairing/aggregation of UniRec

message before processing.