T3 = 20
n_resp = (
PacketStream(1)
# Add code here
.filter(filter_vals=('count', ), func=('geq', T1)))
n_req = (
PacketStream(2)
# Add code here
.filter(filter_vals=('count', ), func=('geq', T2)))
q3 = (n_resp.join(window='Same', query=n_req, new_qid=3).map(
map_values=('diff1', ),
func=('diff', )).filter(filter_vals=('diff1', ),
func=('geq', T3)).map(keys=('ipv4.dstIP', )))
queries = [q3]
config["final_plan"] = [(1, 32, 4), (2, 32, 4)]
print(
"*********************************************************************"
)
print(
"* Receiving User Queries *"
)
print(
"*********************************************************************\n\n"
)
runtime = Runtime(config, queries,
os.path.dirname(os.path.realpath(__file__)))
# TODO: Commented for testing
# TODO: put index in header field
# T = 1
q3 = (
n_resp.join(query=n_req, new_qid=3).map(
keys=(
'ipv4.dstIP',
'ipv4.srcIP',
),
map_values=(
'count1',
'count2',
),
func=('diff', )) # make output diff called 'diff3'
.filter(filter_vals=('diff3', ),
func=('geq', T)).map(keys=('ipv4.dstIP')))
queries = [q3]
config["final_plan"] = [(1, 32, 4, 1), (2, 32, 3, 1)]
print(
"*********************************************************************"
)
print(
"* Receiving User Queries *"
)
print(
"*********************************************************************\n\n"
)
runtime = Runtime(config, queries)
func=('sum', )).filter(
filter_vals=('count', ),
func=('geq', '99')).map(keys=('dIP', )))
# DNS TTL change detection
q5 = (PacketStream(5).filter(filter_keys=('sPort', ), func=('eq', 53)).map(
keys=('domain', 'ttl'), map_values=('count', ), func=(
'set',
1,
)).reduce(keys=('domain', 'ttl'),
func=('sum', )).filter(filter_vals=('count', ),
func=('geq',
'99')).map(keys=('domain', )))
# port scan
# One host is scanning lot of different ports
# this potentially happens before an attack
q6 = (
PacketStream(6)
# .filter(filter_keys=('proto',), func=('eq', 6))
.map(keys=('sIP', 'dPort')).distinct(keys=('sIP', 'dPort')).map(
keys=('sIP', ), map_values=('count', ), func=(
'set',
1,
)).reduce(keys=('sIP', ), func=('sum', )).filter(
filter_vals=('count', ),
func=('geq', '99.99')).map(keys=('sIP', )))
queries = [q6]
runtime = Runtime(conf, queries)