This tool is designed for robust and efficient feature extraction in network intrusion detection systems. Leveraging Rust language and eBPF, it excels in processing high volumes of network traffic with remarkable speed and throughput. (When your traffic is already captured, don't worry! It also has a build in pcap reader.) With various pre-defined feature sets and the ability to create custom feature sets, RustiFlow offers a versatile solution for network security applications.
- High Throughput: Utilizes Rust and the Aya library for eBPF program compilation and execution, ensuring exceptional performance and resource efficiency.
- Versatile Feature Sets: Offers a variety of pre-defined feature sets (flows) and the flexibility to create custom feature sets tailored to specific requirements.
- Pcap File Support: Facilitates packet analysis from pcap files, compatible with both Linux and Windows generated files.
- Diverse Output Options: Features can be outputted to the console, a CSV file, or other formats with minimal effort.
See the wiki for the different feature sets available.
Copy the rustiflow binary that you can find in this repo in releases to a location of your choice or to the /usr/local/bin
folder.
If it does not have the right permissions, you can run the following command:
chmod +x /path/to/rustiflow
You can then run the binary with the following commands:
See the help menu for the different options available.
RUST_LOG=info rustiflow pcap basic-flow 60 /path/to/pcap.pcap print
sudo RUST_LOG=info rustiflow realtime enp5s0 cic-flow 60 csv /path/to/output.csv
Make sure that you don't use docker desktop and that you don't have it installed on your machine. If you have this setup, it will not work as intended as the --network host
will not link the container to the host network, but to the network of a VM that docker desktop uses.
- Build the Container:
docker build -t rustiflow .
- Run the Container:
Run it with the --privileged flag if you want to capture traffic in real-time.
docker run --network host -v /path/on/host:/app rustiflow [ARGS like you are used to]
- Example:
docker run --network host -v /home/user/pcap:/app rustiflow pcap basic-flow 60 /app/pcap.pcap print docker run --privileged --network host -v /home/matisse/Documents:/app rustiflow realtime enp5s0 cic-flow 60 csv /app/output.csv
- libpcap-dev:
sudo apt install libpcap-dev
- Rust Installation:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
- Nightly Rust Toolchain:
rustup install stable rustup toolchain install nightly --component rust-src
- For Linux x86_64:
cargo install bpf-linker
- For MacOS/Linux (Other Architectures):
brew install llvm cargo install --no-default-features bpf-linker
- Ubuntu 20.04 LTS Specific:
sudo apt install linux-tools-5.8.0-63-generic export PATH=/usr/lib/linux-tools/5.8.0-63-generic:$PATH
- eBPF Programs:
cargo xtask ebpf-ipv4 cargo xtask ebpf-ipv6
- User Space Programs:
cargo build
- Command Help:
RUST_LOG=info cargo xtask run -- realtime --help
Real-time feature extraction Usage: rustiflow realtime [OPTIONS] <INTERFACE> <FLOW_TYPE> <LIFESPAN> <METHOD> [EXPORT_PATH] Arguments: <INTERFACE> The network interface to capture packets from <FLOW_TYPE> Possible values: - basic-flow: A basic flow that stores the basic features of a flow - cic-flow: Represents the CIC Flow, giving 83 features - cidds-flow: Represents the CIDDS Flow, giving 10 features - nf-flow: Represents a nfstream inspired flow, giving 69 features - ntl-flow: Represents the NTL Flow, giving 120 features - custom-flow: Represents a flow that you can implement yourself <LIFESPAN> The maximum lifespan of a flow in seconds <METHOD> Output method Possible values: - print: The output will be printed to the console - csv: The output will be written to a CSV file [EXPORT_PATH] File path for output (used if method is Csv) Options: -n, --no-contaminant-features Whether not to include contaminant features -o, --only-ingress Only ingress traffic will be captured --interval <INTERVAL> The print interval for open flows in seconds, needs to be smaller than the flow maximum lifespan -h, --help Print help (see a summary with '-h')
- Command Help:
RUST_LOG=info cargo xtask run -- pcap --help
Feature extraction from a pcap file Usage: rustiflow pcap [OPTIONS] <FLOW_TYPE> <LIFESPAN> <PATH> <METHOD> [EXPORT_PATH] Arguments: <FLOW_TYPE> Possible values: - basic-flow: A basic flow that stores the basic features of a flow - cic-flow: Represents the CIC Flow, giving 83 features - cidds-flow: Represents the CIDDS Flow, giving 10 features - nf-flow: Represents a nfstream inspired flow, giving 69 features - ntl-flow: Represents the NTL Flow, giving 120 features - custom-flow: Represents a flow that you can implement yourself <LIFESPAN> The maximum lifespan of a flow in seconds <PATH> The relative path to the pcap file <METHOD> Output method Possible values: - print: The output will be printed to the console - csv: The output will be written to a CSV file [EXPORT_PATH] File path for output (used if method is Csv) Options: -n, --no-contaminant-features Whether not to include contaminant features -h, --help Print help (see a summary with '-h')
Note: For specific logging levels, adjust RUST_LOG
to error
for error messages, and debug
for debug messages. If you don't want any additional logs, just remove RUST_LOG=info
.