README four-hours
-----------

These directories and files provide an initial four hours of training
data for the 1998 DARPA Intrusion Detection Evaluation.  The purpose
of these four hours is to provide some initial data to DARPA
researchers to make sure the data can be read correctly and that
sufficient information is provided for the evaluation.  We are
currently generating the first week of data and will deliver that
shortly.  This four hours is not the first four hours of the planned
month of training data. It is similar to data that will be included in
the first-week of training data, but not identical.

Please read all the files in the /doc directory. 

Contents of the gzipped, tar file of documentation: fourhour.tar.gz
--------------------------
doc/
	network.ps.gz	- picture of the network including ip addresses
			  and names of major gateways, victim machines,
			  router, and sniffer
	host.memo	- list of inside and outside host
			  names, ip addresses and system types
	README.formats  - description of file formats
	README.bsm      - description of how bsm was run on the host named
				pascal
	README.pascal	- description of where to find about the rest of
				pascal's configuration

bin/
    run_sniffer    - shell script used to start sniffing on solomon 
    run_psmonitor  - shell script to run ps periodically on pascal 
		     and store output in psmonitor log file
    run_dump       - shell script used to create system dump of 
		     Solaris from pascal 

config/
   contains the bsm configuration files and starting scripts from 
   the simulation (see the file README.bsm and README.pascal
   for a description of these files)


data/bsm.list
   the list file for the bsm data. The format is described in "README.formats"

data/tcpdump.list
   the list file for the tcpdump data as described in "README.formats"

data/ps_monitor.log.gz
   the output of running the ps command on pascal periodically



Other files to download from the web page
-----------------------------------------

tcpdump.data.gz   The tcpdump data

pascal.bsm.gz     The BSM data from pascal

pascal.praudit.gz     ASCII version of pascal's BSM audit data obtained
                      by passing pascal.bsm through praudit 

four pascal file system dumps:
 root.dump.gz
 usr.dump.gz
 opt.dump.gz
 home.dump.gz


(last updated June 10, 1998)