Why is there an error in the input script according to the sample-input.json you gave.
jiangdie666 opened this issue · 14 comments
First, the example file only has 4 alerts, so it will not create any attack graph. This file is meant to give an idea of the required alert format.
Second, the error you get is because SAGE cannot find one of the files created by Flexfringe. Can you post what files have been created by Flexfringe? They should have the extension .dot and .json.
Figure 1 shows my overall folder structure, with the 1 folder holding sample-input.json.
Figure 2 shows the internal structure of the FlexFringe folder created as per the requirements of the trick, all folders are copied and pasted from within FlexFringe, flexfringe is the compiled program.
Figure 3 is the output of sage.py inside the output, all without any changes.
That looks okay, and it seems that SAGE is able to find the Flexfringe executable.
However, even before flexfringe runs, SAGE creates several output files, e.g., the histogram file (png), and a trace file (.txt) for flexfringe to learn from. I don't see them in your screenshots...
This is what I get after executing the first screenshot that reports an error.
Okay, that means SAGE works until the creation of the trace file, first.txt in your case. Can you show me what is contained in first.txt?
My suspicion is that because there were only 4 alerts, there is insufficient data to learn anything by flexfringe, and hence it crashes.
first is the name of the {experiment_name} that I edited from your code.
Yep, exactly. There are no traces to learn from. I suggest to download the alerts from one the of the CPTC-2018 teams from: https://mirror.rit.edu/cptc/2018/t5/events/. Download file suricata_alert.json.gz, unzip it. It should contain a .json file with alerts triggered by Team 5 of the CPTC-2018 competition. Then, you either need to convert the .json file into a list of json objects, or you can replace lines 1346-1348 of sage.py to:
unparsed_file = []
with open(fname, 'r') as f:
for line in f:
unparsed_file.append(json.loads(line))
Then, everything should work.
Is this how the data format is handled?
Yes, this new code snippet parses each line of the .json file, which is a json object. Then all the parsed json objects are appended in the unparsed_file list.
Does it work? If not, then I'll push some changes to the code.
This is the result of his output.
I think it's possible that I didn't handle the data format properly here.
Okay, nevermind. I just tried it out. You don't need any changes to the code after all.
Just pull a fresh copy of SAGE, update paths to flexfringe.exe (that you can now directly download from https://github.com/tudelft-cda-lab/FlexFringe/releases) and the .ini file (from https://github.com/tudelft-cda-lab/SAGE/blob/docker/spdfa-config.ini).
Then run on the T5 alerts you downloaded using this command: python sage.py alerts/ first 1.0 150 (where alerts/ contains your .json file)
Let me know if it works for you.
After downloading the release version of frexfringe, I choose to operate on windows. Is the output below correct?
But in sage.py, the rm delete operation will be executed at the end, but rm cannot be executed in windows, so this kind of error report is not important, right?
Yes, correct! The first.txt.png file shows you the learnt s-pdfa model. The folder firstAGs/ has all the extracted attack graphs, each in a .dot, .png, and .svg format.
The 'rm' error is not important.
Thank you very much for your patience and guidance, for bothering you for so long with this little problem.v😊