Improved flown analyse event:

 * store packet directions
 * merged direction based IATs
 * merged direction based PKTLENs

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

1 files changed, 30 insertions, 20 deletions

diff --git a/test/results/flow-info/emotet.pcap.out b/test/results/flow-info/emotet.pcap.out
index c206017cf..a0958470a 100644
--- a/test/results/flow-info/emotet.pcap.out
+++ b/test/results/flow-info/emotet.pcap.out
@@ -4,23 +4,27 @@
               new: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] 
          detected: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable]
           analyse: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable]
-                   [min|max|avg|stddev]
-                   [IAT(flow)...:    0.000|   3.056|   0.539|   0.774]
-                   [IAT(c->s)...:    0.000|   3.056|   0.696|   0.816][IAT(s->c)...:    0.000|   3.055|   0.439|   0.729]
-                   [PKTLEN(c->s):   54.000| 752.000| 124.000| 181.800][PKTLEN(s->c):   54.000| 214.000|  74.800|  37.700]
+                   [min|max|avg|stddev|variance|entropy]
+                   [IAT.........:     0.000|    3.056|    0.539|    0.774|599161.176|    0.000]
+                   [PKTLEN......:    54.000|  752.000|   94.800|  121.900|14849.500|    4.500]
                    [BINS(c->s)..: 8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 14,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+                   [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0]
+                   [IATS........: 749523,749719,1106307,1106777,773,369838,370621,895,325625,326244,506,323,737,841210,842439,907,363,438,3054676,3056402,1628,247201,247778,521,1205120,1205575,420,442964,443628,704,254,0]
+                   [PKTLENS.....: 66,58,54,108,75,54,214,66,54,72,86,54,56,54,72,70,54,56,54,94,91,54,100,87,54,101,60,54,62,93,54,752]
      DAEMON-EVENT: [Processed: 626 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
               new: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] 
          detected: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable]
           analyse: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable]
-                   [min|max|avg|stddev]
-                   [IAT(flow)...:    0.000|   0.204|   0.029|   0.060]
-                   [IAT(c->s)...:    0.000|   0.204|   0.041|   0.068][IAT(s->c)...:    0.000|   0.204|   0.022|   0.054]
-                   [PKTLEN(c->s):   54.000| 500.000|  92.200| 123.000][PKTLEN(s->c):   54.000|1415.000|1279.100| 407.700]
+                   [min|max|avg|stddev|variance|entropy]
+                   [IAT.........:     0.000|    0.204|    0.029|    0.060| 3581.477|    0.000]
+                   [PKTLEN......:    54.000| 1415.000|  834.000|  663.100|439751.800|    4.400]
                    [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0]
+                   [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]
+                   [IATS........: 115764,115896,335,518,204207,77,204389,352,224,565,217,228,441,212,496,705,246,220,470,115050,221,115302,340,251,573,9235,226,9483,474,242,690,0]
+                   [PKTLENS.....: 66,58,54,500,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54]
               end: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable]
      DAEMON-EVENT: [Processed: 834 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0]
@@ -29,12 +33,14 @@
  detection-update: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable]
                    RISK: Binary App Transfer
           analyse: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable]
-                   [min|max|avg|stddev]
-                   [IAT(flow)...:    0.000|   0.261|   0.031|   0.066]
-                   [IAT(c->s)...:    0.000|   0.260|   0.030|   0.065][IAT(s->c)...:    0.000|   0.261|   0.032|   0.067]
-                   [PKTLEN(c->s):   60.000| 279.000|  73.200|  51.500][PKTLEN(s->c):   62.000|1442.000|1350.000| 344.200]
+                   [min|max|avg|stddev|variance|entropy]
+                   [IAT.........:     0.000|    0.261|    0.031|    0.066| 4320.020|    0.000]
+                   [PKTLEN......:    60.000| 1442.000|  671.700|  680.400|462891.900|    4.100]
                    [BINS(c->s)..: 16,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]
+                   [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0]
+                   [IATS........: 97254,97549,387,260940,260431,3204,3158,9543,9466,6236,69,6255,124,124,128,201,123,50,174,174,40,2646,2680,60630,60713,9884,9822,15114,15099,12868,12932,0]
+                   [PKTLENS.....: 66,62,60,279,1442,60,1442,60,1442,60,1442,1442,60,1442,60,1442,60,1442,60,1442,60,60,1442,60,1442,60,1442,60,1442,60,1442,60]
               end: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable]
      DAEMON-EVENT: [Processed: 1663 pkts][ZLib][compressions: 0|diff: 0 / 0]
      DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0]
@@ -44,12 +50,14 @@
  detection-update: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Download][Acceptable]
                    RISK: Binary App Transfer, HTTP Suspicious User-Agent
           analyse: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Download][Acceptable]
-                   [min|max|avg|stddev]
-                   [IAT(flow)...:    0.000|   0.292|   0.042|   0.080]
-                   [IAT(c->s)...:    0.000|   0.292|   0.073|   0.105][IAT(s->c)...:    0.000|   0.184|   0.030|   0.062]
-                   [PKTLEN(c->s):   60.000| 206.000|  75.200|  43.600][PKTLEN(s->c):   60.000|1442.000|1264.600| 420.200]
+                   [min|max|avg|stddev|variance|entropy]
+                   [IAT.........:     0.000|    0.292|    0.042|    0.080| 6342.811|    0.000]
+                   [PKTLEN......:    60.000| 1442.000|  892.900|  652.600|425943.000|    4.500]
                    [BINS(c->s)..: 9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,18,0,0,0,0]
+                   [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0]
+                   [IATS........: 184236,184528,232,171817,120639,81,116,292217,2662,111,117,90,2892,2739,117,70,3040,164670,68,120,164820,2817,118,71,3042,2918,68,119,165,3158,56,0]
+                   [PKTLENS.....: 66,66,60,206,60,626,1442,1442,60,1442,1442,1442,1114,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,1442,60,60]
               end: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable]
                    RISK: Binary App Transfer
               new: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] 
@@ -58,12 +66,14 @@
  detection-update: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Web][Safe]
                    RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
           analyse: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] 
-                   [min|max|avg|stddev]
-                   [IAT(flow)...:    0.000|   1.263|   0.117|   0.292]
-                   [IAT(c->s)...:    0.000|   1.263|   0.146|   0.340][IAT(s->c)...:    0.000|   1.117|   0.097|   0.253]
-                   [PKTLEN(c->s):   60.000| 534.000| 115.100| 122.800][PKTLEN(s->c):   60.000|1442.000|1147.800| 551.200]
+                   [min|max|avg|stddev|variance|entropy]
+                   [IAT.........:     0.000|    1.263|    0.117|    0.292|85184.340|    0.000]
+                   [PKTLEN......:    60.000| 1442.000|  696.000|  663.200|439900.200|    4.200]
                    [BINS(c->s)..: 11,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
                    [BINS(s->c)..: 3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]
+                   [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0,1,1]
+                   [IATS........: 109372,109625,14139,123772,13228,122858,52674,132935,80275,6518,151937,1117119,71,165,1262510,58,2900,71,3072,96890,117,96947,3054,71,165,71,3262,116,2919,118,0,0]
+                   [PKTLENS.....: 66,66,60,203,60,1432,60,147,296,60,534,60,1442,1442,1442,60,60,1442,1442,66,1442,1442,74,1442,1442,1442,1442,74,74,74,1442,1442]
  detection-update: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Web][Safe]
                    RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn
               new: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443]