Home » MISTRAL Technical Details

Recent Posts

MISTRAL Technical Details

Architecture

Technical Documentation

https://mistral.pages.oit.duke.edu/mistral-ids-docs/

Code Repository

https://gitlab.oit.duke.edu/mistral

Data Samples

YAF / SiLK flow data

{
	"flows":{
		"flowStartMilliseconds": "2023-06-01 12:42:10.013",
		"flowEndMilliseconds": "2023-06-01 13:12:10.011",
		"flowDurationMilliseconds": 1799.998,
		"sourceIPv4Address": "10.x.x.x",
		"sourceTransportPort": 54918,
		"destinationIPv4Address": "10.y.y.y",
		"destinationTransportPort": 445,
		"protocolIdentifier": 6,
		"packetTotalCount": 2995,
		"octetTotalCount": 677044,
		"flowAttributes": "01",
		"reversePacketTotalCount": 1534,
		"reverseOctetTotalCount": 760864,
		"reverseFlowAttributes": "01",
		"initialTCPFlags": "AP",
		"unionTCPFlags": "AP",
		"reverseInitialTCPFlags": "AP",
		"reverseUnionTCPFlags": "AP",
		"tcpSequenceNumber": "0xb47a3c95",
		"reverseTcpSequenceNumber": "0xd848f4b9",
		"flowEndReason": "active"
	}
}

Zeek smb_files.log

{
	"ts": "2023-02-14T08:47:58.656316Z",
	"uid": "CDabcdefg",
	"id.orig_h": "10.x.x.x.x",
	"id.orig_p": 55246,
	"id.resp_h": "10.y.y.y",
	"id.resp_p": 445,
	"action": "SMB::FILE_OPEN",
	"name":
	"Data\\",
	"size": 4096,
	"times.modified": "2023-02-14T05:00:10.798546Z",
	"times.accessed": "2023-02-14T05:00:10.798546Z",
	"times.created": "2023-02-13T18:03:50.424680Z",
	"times.changed": "2023-02-14T05:00:10.798546Z"
}

Zeek http.log

{
	"ts": "2023-02-14T07:21:48.465720Z",
	"uid": "CVabcdefg",
	"id.orig_h": "10.x.x.x",
	"id.orig_p": 56343,
	"id.resp_h": "23.y.y.y",
	"id.resp_p": 80,
	"trans_depth": 1,
	"method": "GET",
	"host": "armmf.adobe.com",
	"uri": "/arm-manifests/win/11/upgradeoffered.txt",
	"version": "1.1",
	"user_agent": "Mozilla/4.0",
	"request_body_len": 0,
	"response_body_len": 0,
	"status_code": 200,
	"status_msg": "OK",
	"tags": []
}

Zeek dns.log

{
	"ts": "2023-02-14T13:59:40.198008Z",
	"uid": "CSabcdefg",
	"id.orig_h": "10.x.x.x",
	"id.orig_p": 50799,
	"id.resp_h": "152.3.y.y",
	"id.resp_p": 53,
	"proto": "udp",
	"trans_id": 17580,
	"query": "inputs1.x.tld",
	"qclass": 1,
	"qclass_name": "C_INTERNET",
	"qtype": 1,
	"qtype_name": "A",
	"rcode": 0,
	"rcode_name": "NOERROR",
	"AA": false,
	"TC": false,
	"RD": true,
	"RA": true,
	"Z": 0,
	"answers": [
		"44.x.x.x",
		"34.x.x.x",
		"44.x.x.x"
	],
	"TTLs": [
		2202.0,
		2202.0,
		2202.0
	],
	"rejected": false
}