You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
67 lines
1.2 KiB
Plaintext
67 lines
1.2 KiB
Plaintext
splitter S {}
|
|
|
|
filter www_req {
|
|
dstport = 80
|
|
}
|
|
|
|
filter www_res {
|
|
srcport = 80
|
|
}
|
|
|
|
filter www_res1 {
|
|
srcport = 80
|
|
}
|
|
|
|
grouper g_www_req {
|
|
module g1 {
|
|
srcip = srcip
|
|
dstip = dstip
|
|
etime < stime delta 1s
|
|
}
|
|
aggregate srcip, dstip, sum(bytes) as bytes, count(rec_id) as n,
|
|
bitOR(tcp_flags) as flags, union(srcport) as srcports
|
|
}
|
|
|
|
grouper g_www_res {
|
|
module g1 {
|
|
srcip = srcip
|
|
dstip = dstip
|
|
etime < stime delta 1s
|
|
}
|
|
aggregate srcip, dstip, sum(bytes) as bytes, count(rec_id) as n,
|
|
bitOR(tcp_flags) as flags, union(dstport) as dstports
|
|
}
|
|
|
|
grouper g_www_res1 {
|
|
module g1 {
|
|
srcip = srcip
|
|
dstip = dstip
|
|
etime < stime delta 5s
|
|
}
|
|
aggregate srcip, dstip, sum(bytes) as bytes, count(rec_id) as n,
|
|
bitOR(tcp_flags) as flags, union(dstport) as dstports
|
|
}
|
|
|
|
groupfilter ggf {
|
|
bitAND(flags, 0x13) = 0x13
|
|
}
|
|
|
|
merger M {
|
|
module m1 {
|
|
branches C, B, A
|
|
A.srcip = B.dstip
|
|
A.srcports = B.dstports
|
|
A.bytes < B.bytes
|
|
B oi A OR B d A
|
|
}
|
|
export m1
|
|
}
|
|
|
|
ungrouper U {}
|
|
|
|
"./netflow-trace.h5" -> S
|
|
S branch A -> www_req -> g_www_req -> ggf -> M
|
|
S branch B -> www_res -> g_www_res -> ggf -> M
|
|
S branch C -> www_res1 -> g_www_res1 -> ggf -> M
|
|
M->U->"./ungroped.h5"
|