DARPA Intrusion Detection Evaluation
1999 Training Data - Week 5
The simulation network normally collected data twenty-two hours a day. The tcpslice program was used to examine the outside tcpdump data files and the actual times of the first and last packet were extracted. These times are shown below.
| First Packet Time | Last Packet Time | |||||||||
| Mon | Apr 5 | 08:00:02 | Tue | Apr 6 | 05:59:56 | |||||
| Tue | Apr 6 | 08:00:00 | Wed | Apr 7 | 05:59:58 | |||||
| Wed | Apr 7 | 08:00:00 | Thu | Apr 8 | 05:59:52 | |||||
| Thu | Apr 8 | 08:00:00 | Fri | Apr 9 | 05:59:53 | |||||
| Fri | Apr 9 | 08:00:04 | Sat | Apr 10 | 05:59:58 | |||||
Monday
| outside tcpdump data | 122,874 Kb | gzipped |
| inside tcpdump data | 146,149 Kb | gzipped |
| Solaris BSM audit data | 6,932 Kb | gzipped |
| NT audit data | 913 Kb | tarred & gzipped |
| NT audit data | 12,259 Kb | tarred & gzipped |
| Selected directory dumps | 3,610 Kb | tarred & gzipped |
| File system listing & inode record | 8,960 Kb | tarred & gzipped |
Tuesday
| outside tcpdump data | 180,384 Kb | gzipped |
| inside tcpdump data | 198,800 Kb | gzipped |
| Solaris BSM audit data | 11,272 Kb | gzipped |
| NT audit data | 504 Kb | tarred & gzipped |
| Selected directory dumps | 3,645 Kb | tarred & gzipped |
| File system listing & inode record | 7,507 Kb | tarred & gzipped |
Wednesday
| outside tcpdump data | 169,831 Kb | gzipped |
| inside tcpdump data | 195,966 Kb | gzipped |
| Solaris BSM audit data | 3,271 Kb | gzipped |
| NT audit data | 11,322 Kb | tarred & gzipped |
| Selected directory dumps | 3,677 Kb | tarred & gzipped |
| File system listing & inode record | 7,715 Kb | tarred & gzipped |
Thursday
| outside tcpdump data | 295,227 Kb | gzipped |
| inside tcpdump data | 323,373 Kb | gzipped |
| Solaris BSM audit data | 3,675 Kb | gzipped |
| NT audit data | 1,108 Kb | tarred & gzipped |
| Selected directory dumps | 3,685 Kb | tarred & gzipped |
| File system listing & inode record | 7,779 Kb | tarred & gzipped |
Friday
| outside tcpdump data | 459,857 Kb | gzipped |
| inside tcpdump data | 483,364 Kb | gzipped |
| Solaris BSM audit data | 7,886 | gzipped |
| NT audit data (misconfigured) | 1,541 Kb | tarred & gzipped |
| Selected directory dumps | 3,700 Kb | tarred & gzipped |
| File system listing & inode record | 7,779 Kb | tarred & gzipped |
Errata.
Some days have multiple pascal.bsm files, labeled "pascal_1.bsm", "pascal_2.bsm", etc..
The pascal.bsm.tar.gz file for Thursday, April 8th, includes two duplicate files. The smaller 2 (200-300k) are not necessary - for Thursday's bsm data use the 50Meg file, pascal_3.bsm. We will redo the tar soon, so as to exclude the excess information.
The Hume filesystem listing for this Friday April 9th, was collected after the fact, by restoring hume from a full backup (taken just after the Friday run completed), and collecting the listing. Changes/edits after the end of the Friday run should be ignored for the evaluation.
In addition, auditting for Hume was misconfigured so the audit logs do not contain useful information for Friday.
top of page