Classic way of analysis

Analyzes the L4 payload. It is necessary to specify the parameters for building a decision tree:

  • Decisions - the maximum nesting of the branch. Determines the depth of the search in the process of building a decision tree.

  • Decision type is an algorithm for constructing a decision tree.

    • First Suitable - Search for the first suitable solution;
    • All possible - search for all possible solutions within the specified variability and maximum nesting level;
    • The solution of the minimum length is a traversal along the branches of the minimum length, regardless of the completeness of the solution.

  • Variation - The variation in data within the offset to create a branch. The maximum number of child branches of the decision tree.

  • Packet Bytes - The number of first payload bytes to be parsed. The limit on the number of first bytes allows you to create shortened signatures, for example, to apply the flex filter in JunOS. Reduces analysis time.

Report

The report consists of following sections:

  • packets stats;

    • totally — total packets loaded from the PCAP file;
    • filtered — the number of packets excluded from processing by filters;
    • processed — the number of packets processed.

  • protocols stats;
    packet distribution by protocols in percentage.

  • packets payload len stats;
    distribution of packets along the length of L4 payload. Absolute value and percentage of all packets accepted for processing.

  • [tcp, udp] [src, dst] ports stats;
    Distribution of packets by ports. The number of packets, the percentage of all packets accepted for processing, and the percentage of the total number of packets. Displays up to 10 most used ports among the packets that are being processed.

  • decision tree.
    description of filtering on L4 payload in REX countermeasure syntax.

If prompts are enabled, these sections will be added to the report:

  • values to separate into branches
    Shows L4 payload offsets with variance less than specified and present in 100% of processed packets. If no branching candidates are found with the given variance, but the number of values in all packages for some offset exceeds the given variance, then the minimum value for finding at least one branch is reported.

  • Other common values in processed payload
    Shows L4 payload offsets which contain values that do not change much (in more than 90% of packets where such an offset is available, it uses the same byte). Displays the absolute number of packets and the percentage of the total packets for each offset. Offsets containing values that do not change much, but with a small number of packets (less than 90% of the total), are not displayed.

  • possible related values in processed payload
    Searches for L4 payload values that have the same number of repetitions, most likely they change synchronously. Displays the absolute number of packets and the percentage of total packets processed for each set of related values. Values that do not change and are very rare (less than 5% of the number of processed packets) are not taken into account.

  • possible floating values in processed payload
    Searches for L4 payload values that float within a small range of offsets (8) and are contained in all packets within that range. Values that do not change are ignored. If multiple identical values are found with overlapping offset ranges, they are merged.

For large files, analysis can take a long time. If no signature is extracted with the default settings, it can be difficult for clients to interpret hints and adjust search parameters. Therefore, an experimental method was made.