Example of network traffic traces provided as annotated units.
(This repository will be archived after the launch of the sharing platform.)
This repository contains an example of so-called annotated units composed of network traffic trace with interest-related packets only. While the real-world traffic capture needs to be kept private, the annotated units can be freely shared since they only contain the interest-based trace of traffic with a minimum of private information.
All annotated units are normalized network traffic traces where MAC and IP addresses are changed uniformly to the same address range between all units. Moreover, the timestamp of the capture is set to zero epoch time to ease further injection of the unit to the real-world background traffic.
This repository provides an example of selected annotated units (trace file and annotation) generated by Trace-Creator tool. The aim is to facilitate understanding of the new concept of annotated units and semi-labeled datasets.
The following examples contain SSH dictionary attack performed by commonly available tools and generated using Trace-Creator. IP addresses are adjusted to ease recognition of different attack types for use-case when traces are merged using the simple mergecap tool. Use our tool Trace-Share: ID2T if you want to insert these units so that they are indistinguishable in background traffic.
- Webpage: https://github.com/vanhauser-thc/thc-hydra
- Software version: 8.4
- hydra-1_tasks.pcap
- Command:
$ ./hydra -l user -x "1:5:a" -t 1 ssh://10.0.0.3/ - Source address: 240.0.1.2
- Destination address: 240.125.0.2
- Command:
- hydra-4_tasks.pcap
- Command:
$ ./hydra -l user -x "1:5:a" -t 4 ssh://10.0.0.3/ - Source address: 240.0.1.3
- Destination address: 240.125.0.2
- Command:
- hydra-8_tasks.pcap
- Command:
$ ./hydra -l user -x "1:5:a" -t 8 ssh://10.0.0.3/ - Source address: 240.0.1.4
- Destination address: 240.125.0.2
- Command:
- hydra-16_tasks.pcap
- Command:
$ ./hydra -l user -x "1:5:a" -t 16 ssh://10.0.0.3/ - Source address: 240.0.1.5
- Destination address: 240.125.0.2
- Command:
- hydra-24_tasks.pcap
- Command:
$ ./hydra -l user -x "1:5:a" -t 24 ssh://10.0.0.3/ - Source address: 240.0.1.6
- Destination address: 240.125.0.2
- Command:
- Webpage: http://foofus.net/goons/jmk/medusa/medusa.html
- Software version: 2.2
- medusa-1_tasks.pcap
- Command:
$ medusa -M ssh -u user -P <passwords.txt> -h 10.0.0.3 -t 1 - Source address: 240.0.2.2
- Destination address: 240.125.0.2
- Command:
- medusa-4_tasks.pcap
- Command:
$ medusa -M ssh -u user -P <passwords.txt> -h 10.0.0.3 -t 4 - Source address: 240.0.2.3
- Destination address: 240.125.0.2
- Command:
- medusa-8_tasks.pcap
- Command:
$ medusa -M ssh -u user -P <passwords.txt> -h 10.0.0.3 -t 8 - Source address: 240.0.2.4
- Destination address: 240.125.0.2
- Command:
- medusa-16_tasks.pcap
- Command:
$ medusa -M ssh -u user -P <passwords.txt> -h 10.0.0.3 -t 16 - Source address: 240.0.2.5
- Destination address: 240.125.0.2
- Command:
- medusa-24_tasks.pcap
- Command:
$ medusa -M ssh -u user -P <passwords.txt> -h 10.0.0.3 -t 24 - Source address: 240.0.2.6
- Destination address: 240.125.0.2
- Command:
- Webpage: https://nmap.org/ncrack/
- Software version: 0.5
- ncrack-paranoid.pcap
- Command:
$ ncrack --user user1,user2,user3 10.0.0.3:22 -T paranoid - Source address: 240.0.3.2
- Destination address: 240.125.0.2
- Command:
- ncrack-sneaky.pcap
- Command:
$ ncrack --user user1,user2,user3 10.0.0.3:22 -T sneaky - Source address: 240.0.3.3
- Destination address: 240.125.0.2
- Command:
- ncrack-polite.pcap
- Command:
$ ncrack --user user1,user2,user3 10.0.0.3:22 -T polite - Source address: 240.0.3.4
- Destination address: 240.125.0.2
- Command:
- ncrack-normal.pcap
- Command:
$ ncrack --user user1,user2,user3 10.0.0.3:22 -T normal - Source address: 240.0.3.5
- Destination address: 240.125.0.2
- Command:
- ncrack-aggressive.pcap
- Command:
$ ncrack --user user1,user2,user3 10.0.0.3:22 -T aggressive - Source address: 240.0.3.6
- Destination address: 240.125.0.2
- Command:
New datasets are welcome! The sharing platform is not working yet, but we can prepare network traffic traces now.
If you are interested in research collaborations, don't hesitate to contact us at https://csirt.muni.cz!