Introduction

As part of this program, one needs to input a CSV or XML file that contains abstract Botnet communication that is to be injected into the input PCAP. From this abstract communication file an interval is chosen that fits into the input PCAP. After transforming this interval into actual communication, the created packets are injected into the input PCAP. The transformation has several stages that are explained further in this Wiki.

Format of Input CSV File Containing Abstract Botnet Communication

The required format for the input CSV file is best shown by an example of 5 abstract packets:

Src: 10, Dst: 140, Type: 103, Time: 1000.1
Src: 10, Dst: 42, Type: 103, Time: 1000.15
Src: 42, Dst: 10, Type: 104, Time: 1000.19
Src: 10, Dst: 42, Type: 101, Time: 1001.4
Src: 42, Dst: 10, Type: 102, Time: 1001.9

Requirements

• All values cannot contain any symbol except a number (or decimal dot).
• Keys can only be Src, Dst, Type and Time and have to be written down in this order.
• The timestamps have to be ascending, i.e. the abstract communication has to be in order.
• IDs have to be positive.
• Type has to be 3, 101, 102, 103 or 104
• For every message with type 102 there has to be a prior message with type 101 and respective Src and Dst IDs.
• For every message with type 104 there has to be a prior message with type 103 and respective Src and Dst IDs.

Format of Input XML File Containing Abstract Botnet Communication

The required format for the input XML file is best shown by an example of 5 abstract packets:

<trace name="example">
    <packet Src="53" Dst="285" Type="103" Time="3712.30121813772" LineNumber="1" />
    <packet Src="53" Dst="32" Type="103" Time="3712.30121813772" LineNumber="2" />
    <packet Src="53" Dst="175" Type="103" Time="3712.30121813772" LineNumber="3" />
    <packet Src="53" Dst="239" Type="103" Time="3712.30121813772" LineNumber="4" />
    <packet Src="285" Dst="53" Type="3" Time="3712.40121813772" LineNumber="5" />
</trace>

Requirements

• The requirements above also apply here, except that LineNumber is another (optional) attribute.
• All packets/messages have to be listed on the second hierarchy level below the root node.
• All packets/messages have to be specified as self-closing tags with the name packet.

Description of Keys/Attributes

• Src : The ID of the bot sending the abstract message.
• Dst : The ID of the bot receiving the abstract message.
• Type : The type of the abstract message (further details below).
• Time : The timestamp of when the message was logged.
• LineNumber : The line number this message appeared at in the CSV file. Line numbers start at 1.

Description of Message Types

There are 5 message types that are based on simple (Botnet) Membership Management Communication.

• 3 : This message type symbolizes a TIMEOUT, which means the message could not be logged because no message was seen within a timeout interval.
• 101 : This message symbolizes a SALITY_NL_REQUEST. This message serves as a request for the addressed bot's Neighborlist, which contains all other bots the addressed bot knows about.
• 102 : This message symbolizes a SALITY_NL_REPLY, which serves as a reply to a previously sent SALITY_NL_REQUEST and contains the sender bot's Neighborlist.
• 103 : This message symbolizes a SALITY_HELLO, which serves as a kind of hearbeat message. It is (almost) analogous to a ping request message (i.e ICMP Echo Request).
• 104 : This message symbolizes a SALITY_HELLO_REPLY, which serves as a reply to a previously sent SALITY_HELLO. It is (almost) analogous to a ping reply message (i.e ICMP Echo Reply).