-
Notifications
You must be signed in to change notification settings - Fork 4
/
labels.config
65 lines (64 loc) · 2.09 KB
/
labels.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#################################################################################################################
# This is the labels configuration file of the netflowlabeler tool
# Example Usage
#
# Benign, FromWindows:
# - Proto=UDP & srcIP=147.32.84.165 & dstPort=53 # (AND conditions go in one line)
# - Proto=TCP & dstIP=1.1.1.1 & dstPort=53 # (all new lines are OR conditions)
#
# 0. The first part of the label is the generic label (Benign), after the comma is the detailed description (FromWindows). We encourage not to use : or spaces or , or TABs in the detailed description
# 1. If there is no |, then the detailed label is empty.
# 2. Don't use quotes for the text.
# 3. Labels are assigned from top to bottom
# 4. Each new label superseeds and overwrites the previous match
#
# This are the possible fields that you can use in a configuration file to create the rules used for labeling.
# Date
# start
# Duration
# Proto
# srcIP
# srcPort
# dstIP
# dstPort
# State
# Tos
# Packets
# Bytes
# Flows
#################################################################################################################
# Background labels should go first
Background:
- srcIP=all
Background, ARP:
- Proto=ARP
# Malicious labels should go next
# No detailed label
Malicious, From_Malware:
- srcIP=10.0.0.34
Malicious, From_Local_Link_IPv6:
- srcIP=fe80::1dfe:6c38:93c9:c808
Malicious, From-Benign-DNS-Server:
- Proto=UDP & dstIP=147.32.84.192 & srcPort=53
Malicious, IPv6-Web:
- dstIP=2a00:1450:400c:c05::64 & dstPort=80
Malicious, DNS-Access:
- srcIP=10.0.0.34 & dstIP=8.8.8.8 & dstPort=53
Test-Negative:
- srcIP!=fe80::2acf:e9ff:fe17:3079 & dstPort=5353
Test-Negative2:
- srcIP=fe80::2acf:e9ff:fe17:3079 & dstPort!=5354
Test-State:
- srcIP=10.0.0.34 & State=S0
Test-largebytes:
- Bytes>=100
Test-smallbytes:
- Bytes<=100
# Normal labels go last
Benign, FromInfectedComputer:
- srcIP=fe80::50be:8acf:be49:8c14 & dstIP=ff02::1:2
Benign, Windows:
- srcIP=77.67.96.222
- dstIP=77.67.96.222
Benign, Unknown:
- dstIP=2a00:1450:400c:c05::69 & dstPort=443