activecm · lisaSW · Mar 21, 2022
@@ -40,7 +40,19 @@ func parseConnEntry(parseConn *parsetypes.Conn, filter filter, retVals ParseResu
 	srcDstKey := srcDstPair.MapKey()
 
 	roundedDuration := math.Ceil(parseConn.Duration*10000) / 10000
-	twoWayIPBytes := int64(parseConn.OrigIPBytes + parseConn.RespIPBytes)
+
+	// get bytes passed in both directions
+	// note: use orig_bytes field for tcp only, as it does not include the header
+	// use orig_ip_bytes field for all other protocols as the header+data is the only option
+	var bytesSent, bytesReceived int64
+	if parseConn.Proto == "tcp" {
+		bytesSent = int64(parseConn.OrigBytes)
+		bytesReceived = int64(parseConn.RespBytes)
+	} else {
+		bytesSent = int64(parseConn.OrigIPBytes)
+		bytesReceived = int64(parseConn.RespIPBytes)
+	}
+	twoWayIPBytes := bytesSent + bytesReceived
 
 	var tuple string
 	if parseConn.Service == "" {
@@ -50,7 +62,7 @@ func parseConnEntry(parseConn *parsetypes.Conn, filter filter, retVals ParseResu
 	}
 
 	newUniqueConnection, setUPPSFlag := updateUniqueConnectionsByConn(
-		srcIP, dstIP, srcDstPair, srcDstKey, roundedDuration, twoWayIPBytes, tuple, parseConn, filter, retVals,
+		srcIP, dstIP, srcDstPair, srcDstKey, roundedDuration, bytesSent, bytesReceived, twoWayIPBytes, tuple, parseConn, filter, retVals,
 	)
 
 	updateHostsByConn(
@@ -62,7 +74,7 @@ func parseConnEntry(parseConn *parsetypes.Conn, filter filter, retVals ParseResu
 }
 
 func updateUniqueConnectionsByConn(srcIP, dstIP net.IP, srcDstPair data.UniqueIPPair, srcDstKey string,
-	roundedDuration float64, twoWayIPBytes int64, tuple string,
+	roundedDuration float64, bytesSent int64, bytesReceived int64, twoWayIPBytes int64, tuple string,
 	parseConn *parsetypes.Conn, filter filter, retVals ParseResults) (newEntry bool, setUPPSFlag bool) {
 
 	retVals.UniqueConnLock.Lock()
@@ -131,7 +143,7 @@ func updateUniqueConnectionsByConn(srcIP, dstIP net.IP, srcDstPair data.UniqueIP
 
 	// ///// APPEND IP BYTES TO UNIQUE CONNECTION BYTES LIST /////
 	retVals.UniqueConnMap[srcDstKey].OrigBytesList = append(
-		retVals.UniqueConnMap[srcDstKey].OrigBytesList, parseConn.OrigIPBytes,
+		retVals.UniqueConnMap[srcDstKey].OrigBytesList, bytesSent,
 	)
 
 	// ///// ADD ORIG BYTES AND RESP BYTES TO UNIQUE CONNECTION TOTAL BYTES COUNTER /////

@@ -40,7 +40,19 @@ func parseOpenConnEntry(parseConn *parsetypes.OpenConn, filter filter, retVals P
 	srcDstKey := srcDstPair.MapKey()
 
 	roundedDuration := math.Ceil(parseConn.Duration*10000) / 10000
-	twoWayIPBytes := int64(parseConn.OrigIPBytes + parseConn.RespIPBytes)
+
+	// get bytes passed in both directions
+	// note: use orig_bytes field for tcp only, as it does not include the header
+	// use orig_ip_bytes field for all other protocols as the header+data is the only option
+	var bytesSent, bytesReceived int64
+	if parseConn.Proto == "tcp" {
+		bytesSent = int64(parseConn.OrigBytes)
+		bytesReceived = int64(parseConn.RespBytes)
+	} else {
+		bytesSent = int64(parseConn.OrigIPBytes)
+		bytesReceived = int64(parseConn.RespIPBytes)
+	}
+	twoWayIPBytes := bytesSent + bytesReceived
 
 	var tuple string
 	if parseConn.Service == "" {
@@ -50,7 +62,7 @@ func parseOpenConnEntry(parseConn *parsetypes.OpenConn, filter filter, retVals P
 	}
 
 	newUniqueConnection, setUPPSFlag := updateUniqueConnectionsByOpenConn(
-		srcIP, dstIP, srcDstPair, srcDstKey, roundedDuration, twoWayIPBytes, tuple, parseConn, filter, retVals,
+		srcIP, dstIP, srcDstPair, srcDstKey, roundedDuration, bytesSent, bytesReceived, twoWayIPBytes, tuple, parseConn, filter, retVals,
 	)
 
 	updateHostsByOpenConn(
@@ -63,7 +75,7 @@ func parseOpenConnEntry(parseConn *parsetypes.OpenConn, filter filter, retVals P
 }
 
 func updateUniqueConnectionsByOpenConn(srcIP, dstIP net.IP, srcDstPair data.UniqueIPPair, srcDstKey string,
-	roundedDuration float64, twoWayIPBytes int64, tuple string,
+	roundedDuration float64, bytesSent int64, bytesReceived int64, twoWayIPBytes int64, tuple string,
 	parseConn *parsetypes.OpenConn, filter filter, retVals ParseResults) (newEntry bool, setUPPSFlag bool) {
 
 	retVals.UniqueConnLock.Lock()
@@ -123,7 +135,7 @@ func updateUniqueConnectionsByOpenConn(srcIP, dstIP net.IP, srcDstPair data.Uniq
 			// stored value for bytes...same for OrigBytes
 			retVals.UniqueConnMap[srcDstKey].ConnStateMap[parseConn.UID].Duration = roundedDuration
 			retVals.UniqueConnMap[srcDstKey].ConnStateMap[parseConn.UID].Bytes = twoWayIPBytes
-			retVals.UniqueConnMap[srcDstKey].ConnStateMap[parseConn.UID].OrigBytes = parseConn.OrigBytes
+			retVals.UniqueConnMap[srcDstKey].ConnStateMap[parseConn.UID].OrigBytes = bytesSent
 		}
 	} else {
 		// No entry was present for a connection with this UID. Create a new
@@ -132,7 +144,7 @@ func updateUniqueConnectionsByOpenConn(srcIP, dstIP net.IP, srcDstPair data.Uniq
 			Bytes:     twoWayIPBytes,
 			Duration:  roundedDuration,
 			Open:      true,
-			OrigBytes: parseConn.OrigBytes,
+			OrigBytes: bytesSent,
 			Ts:        parseConn.TimeStamp, //ts is the timestamp at which the connection was detected
 			Tuple:     tuple,
 		}

@@ -29,9 +29,9 @@ type Conn struct {
 	Service string `bson:"service" bro:"service" brotype:"string" json:"service"`
 	// Duration is the floating point representation of connection length
 	Duration float64 `bson:"duration" bro:"duration" brotype:"interval" json:"duration"`
-	// OrigBytes is the byte count coming from the origin
+	// OrigBytes is the byte count coming from the origin (does not include header, accurate for tcp connections only)
 	OrigBytes int64 `bson:"orig_bytes" bro:"orig_bytes" brotype:"count" json:"orig_bytes"`
-	// RespBytes is the byte count coming in on response
+	// RespBytes is the byte count coming in on response (does not include header, accurate for tcp connections only)
 	RespBytes int64 `bson:"resp_bytes" bro:"resp_bytes" brotype:"count" json:"resp_bytes"`
 	// ConnState has data describing the state of a connection
 	ConnState string `bson:"conn_state" bro:"conn_state" brotype:"string" json:"conn_state"`
@@ -45,11 +45,11 @@ type Conn struct {
 	History string `bson:"history"  bro:"history" brotype:"string" json:"history"`
 	// OrigPkts is a count of origin packets
 	OrigPkts int64 `bson:"orig_pkts"  bro:"orig_pkts" brotype:"count" json:"orig_pkts"`
-	// OrigIpBytes is another origin data count
+	// OrigIpBytes is the originator-sent byte count  (includes header, must be used for non-tcp connections)
 	OrigIPBytes int64 `bson:"orig_ip_bytes" bro:"orig_ip_bytes" brotype:"count" json:"orig_ip_bytes"`
 	// RespPkts counts response packets
 	RespPkts int64 `bson:"resp_pkts" bro:"resp_pkts" brotype:"count" json:"resp_pkts"`
-	// RespIpBytes gives the bytecount of response data
+	// RespIPBytes is the response byte count  (includes header, must be used for non-tcp connections)
 	RespIPBytes int64 `bson:"resp_ip_bytes" bro:"resp_ip_bytes" brotype:"count" json:"resp_ip_bytes"`
 	// TunnelParents lists tunnel parents
 	TunnelParents []string `bson:"tunnel_parents" bro:"tunnel_parents" brotype:"set[string]" json:"tunnel_parents"`

@@ -29,9 +29,9 @@ type OpenConn struct {
 	Service string `bson:"service" bro:"service" brotype:"string" json:"service"`
 	// Duration is the floating point representation of connection length
 	Duration float64 `bson:"duration" bro:"duration" brotype:"interval" json:"duration"`
-	// OrigBytes is the byte count coming from the origin
+	// OrigBytes is the byte count coming from the origin (does not include header, accurate for tcp connections only)
 	OrigBytes int64 `bson:"orig_bytes" bro:"orig_bytes" brotype:"count" json:"orig_bytes"`
-	// RespBytes is the byte count coming in on response
+	// RespBytes is the byte count coming in on response (does not include header, accurate for tcp connections only)
 	RespBytes int64 `bson:"resp_bytes" bro:"resp_bytes" brotype:"count" json:"resp_bytes"`
 	// ConnState has data describing the state of a connection
 	ConnState string `bson:"conn_state" bro:"conn_state" brotype:"string" json:"conn_state"`
@@ -45,11 +45,11 @@ type OpenConn struct {
 	History string `bson:"history"  bro:"history" brotype:"string" json:"history"`
 	// OrigPkts is a count of origin packets
 	OrigPkts int64 `bson:"orig_pkts"  bro:"orig_pkts" brotype:"count" json:"orig_pkts"`
-	// OrigIpBytes is another origin data count
+	// OrigIpBytes is the originator-sent byte count  (includes header, must be used for non-tcp connections)
 	OrigIPBytes int64 `bson:"orig_ip_bytes" bro:"orig_ip_bytes" brotype:"count" json:"orig_ip_bytes"`
 	// RespPkts counts response packets
 	RespPkts int64 `bson:"resp_pkts" bro:"resp_pkts" brotype:"count" json:"resp_pkts"`
-	// RespIpBytes gives the bytecount of response data
+	// RespIPBytes is the response byte count  (includes header, must be used for non-tcp connections)
 	RespIPBytes int64 `bson:"resp_ip_bytes" bro:"resp_ip_bytes" brotype:"count" json:"resp_ip_bytes"`
 	// TunnelParents lists tunnel parents
 	TunnelParents []string `bson:"tunnel_parents" bro:"tunnel_parents" brotype:"set[string]" json:"tunnel_parents"`