introduction
play

Introduction About Flow Unix Beginning Analysis Basic SiLK Tools - PowerPoint PPT Presentation

Jan 27, 2023 •379 likes •1.8k views

Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Printing and Sorting Tools Counting Tools Other Tools Advanced Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced

  1. What Is This #4 Introduction About Flow Unix Beginning Analysis Basic SiLK Tools sIP| dIP|sPort|dPort|pkts|flags| sTime| rwfilter 72.24.129.20|82.80.30.150| 80| 1220| 152| S PA|00:00:23.602| Printing and Sorting Tools 82.80.30.150|72.24.129.20| 1220| 80| 90| SRPA|00:00:23.602| Counting Tools 72.24.129.20|82.80.30.150| 80| 1221|1126| S PA|00:00:23.710| Other Tools 82.80.30.150|72.24.129.20| 1221| 80| 413| SRPA|00:00:23.710| Advanced 72.24.129.20|82.80.30.150| 80| 1223| 63| S PA|00:00:26.341| Sets Bags 82.80.30.150|72.24.129.20| 1223| 80| 39| S PA|00:00:26.341| Prefix Maps 72.24.129.20|82.80.30.150| 80| 1224| 8| S PA|00:00:26.883| Unix Scripting 82.80.30.150|72.24.129.20| 1224| 80| 7| SRPA|00:00:26.883| 82.80.30.150|72.24.129.20| 1223| 80| 1| R A|00:01:33.068| Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 15

  2. It’s all a matter of timing Introduction About Flow The flow buffer has to be kept manageable Unix Beginning Analysis Inactivity timeout: Basic SiLK Tools ◮ If there’s no activity within [30] seconds, flush the rwfilter Printing and Sorting flow Tools Counting Tools Other Tools Active timeout: Advanced ◮ Flush all flows open for [30] minutes Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 16

  3. What Is This #5 Introduction About sIP| dIP|sPort|dPort|pro|Pkt|byte| sTime| dur| Flow Unix 8.97.138.194|72.24.145.68| 500| 500| 17| 1| 112|00:02:31| 0.000| Beginning Analysis 72.24.145.68|8.97.138.194| 500| 500| 17| 1| 112|00:02:31| 0.000| Basic SiLK Tools 8.97.138.194|72.24.145.68| 500| 500| 17| 2| 224|00:13:53|40.498| rwfilter 72.24.145.68|8.97.138.194| 500| 500| 17| 2| 224|00:13:53|40.498| Printing and Sorting Tools 8.97.138.194|72.24.145.68| 500| 500| 17| 2| 224|00:25:10|45.582| Counting Tools 72.24.145.68|8.97.138.194| 500| 500| 17| 2| 224|00:25:10|45.582| Other Tools 8.97.138.194|72.24.145.68| 500| 500| 17| 1| 112|00:36:03| 0.000| Advanced 72.24.145.68|8.97.138.194| 500| 500| 17| 1| 112|00:36:03| 0.000| Sets Bags 8.97.138.194|72.24.145.68| 500| 500| 17| 1| 112|00:43:19| 0.000| Prefix Maps 72.24.145.68|8.97.138.194| 500| 500| 17| 1| 112|00:43:19| 0.000| Unix Scripting 8.97.138.194|72.24.145.68| 500| 500| 17| 3| 336|00:47:30|46.088| Visualization 72.24.145.68|8.97.138.194| 500| 500| 17| 3| 336|00:47:30|46.088| Basic Graphs 72.24.145.68|8.97.138.194| 500| 500| 17| 1| 112|00:53:32| 0.000| Excel 8.97.138.194|72.24.145.68| 500| 500| 17| 1| 112|00:53:32| 0.000| Gnuplot Advanced Graphs 72.24.145.68|8.97.138.194| 500| 500| 17| 2| 208|00:58:42| 0.000| 8.97.138.194|72.24.145.68| 500| 500| 17| 20|2232|00:58:49|90.095| Conclusion The Community Page 17

  4. What Is This #6 Introduction About sIP| dIP|sPort|dPort| pkts|flg| sTime| dur| Flow 72.24.147.6|58.210.70.72|35282| 22|29640|PA |00:00:11.361|1800.63| Unix Beginning Analysis 58.210.70.72| 72.24.147.6| 22|35282|29633|PA |00:00:11.911|1800.08| Basic SiLK Tools 72.24.147.6|58.210.70.72|35282| 22|30824|PA |00:26:23.092|1800.82| rwfilter 58.210.70.72| 72.24.147.6| 22|35282|30825|PA |00:26:23.092|1800.82| Printing and Sorting 72.24.147.6|58.210.70.72|35282| 22|29346|PA |00:56:24.020|1800.90| Tools Counting Tools 58.210.70.72| 72.24.147.6| 22|35282|29347|PA |00:56:24.020|1800.90| Other Tools 72.24.147.6|58.210.70.72|35282| 22|31107|PA |01:00:10.783|1800.20| Advanced 58.210.70.72| 72.24.147.6| 22|35282|31113|PA |01:00:11.301|1800.68| Sets 72.24.147.6|58.210.70.72|35282| 22|29227|PA |01:26:25.036|1800.95| Bags Prefix Maps 58.210.70.72| 72.24.147.6| 22|35282|29228|PA |01:26:25.036|1800.95| Unix Scripting 72.24.147.6|58.210.70.72|35282| 22|30880|PA |01:56:26.096|1800.82| 58.210.70.72| 72.24.147.6| 22|35282|30878|PA |01:56:26.096|1800.82| Visualization 72.24.147.6|58.210.70.72|35282| 22|30302|PA |02:00:11.301|1800.65| Basic Graphs Excel 58.210.70.72| 72.24.147.6| 22|35282|30287|PA |02:00:11.843|1800.10| Gnuplot 72.24.147.6|58.210.70.72|35282| 22|31998|PA |02:26:27.028|1800.90| Advanced Graphs 58.210.70.72| 72.24.147.6| 22|35282|31999|PA |02:26:27.028|1800.90| Conclusion 72.24.147.6|58.210.70.72|35282| 22|32764|PA |02:56:28.040|1800.88| The Community Page 18

  5. What Is This #7 sIP| dIP|sPort|dPort|pkt|flags| sTime| dur| Introduction 72.24.144.17|10.25.235.38|40395| 80| 45| S PA|1:59:34.81|1759.18| About 10.25.235.38|72.24.144.17| 80|40395| 44| S PA|1:59:34.81|1759.07| Flow Unix 10.25.235.38|72.24.144.17| 80|40395| 40| PA|2:29:39.82|1797.62| Beginning Analysis 72.24.144.17|10.25.235.38|40395| 80| 40| A|2:29:39.93|1797.51| Basic SiLK Tools 10.25.235.38|72.24.144.17| 80|40395| 40| PA|3:00:23.46|1800.17| rwfilter 72.24.144.17|10.25.235.38|40395| 80| 40| A|3:00:23.57|1800.17| Printing and Sorting Tools 10.25.235.38|72.24.144.17| 80|40395| 40| PA|3:31:09.83|1797.52| Counting Tools 72.24.144.17|10.25.235.38|40395| 80| 40| A|3:31:09.93|1797.52| Other Tools 10.25.235.38|72.24.144.17| 80|40395| 40| PA|4:01:53.42|1797.72| Advanced 72.24.144.17|10.25.235.38|40395| 80| 40| A|4:01:53.51|1797.64| Sets Bags 10.25.235.38|72.24.144.17| 80|40395| 35| RPA|4:32:37.18|1560.50| Prefix Maps 72.24.144.17|10.25.235.38|40395| 80| 34| A|4:32:37.29|1520.89| Unix Scripting 72.24.144.17|37.52.53.241|40395| 80| 13|FS PA|5:18:41.57| 0.48| 37.52.53.241|72.24.144.17| 80|40395| 18|FS PA|5:18:41.63| 0.43| Visualization Basic Graphs 72.24.144.17|42.15.190.19|40395| 80| 9|FS PA|8:21:01.15| 4.14| Excel 42.15.190.19|72.24.144.17| 80|40395| 6|FS PA|8:21:01.15| 4.14| Gnuplot 42.15.190.19|72.24.144.17| 80|40395| 1| A|8:21:05.29| 0.00| Advanced Graphs 72.24.144.17|10.46.227.72|40395| 80| 7|FS PA|9:21:24.36| 0.22| Conclusion 10.46.227.72|72.24.144.17| 80|40395| 6|FS PA|9:21:24.47| 0.22| The Community 72.24.144.17|18.113.57.14|40395| 80| 6|FS PA|9:39:43.67| 0.11| 18.113.57.14|72.24.144.17| 80|40395| 4|FS PA|9:39:43.67| 0.21| Page 19

  6. Where do I collect flows? Flow is often collected at the Introduction About border Flow Unix ◮ Watch internal and Beginning Analysis Basic SiLK Tools external rwfilter communications Printing and Sorting Tools Counting Tools ◮ Identify services on your Other Tools Advanced network Sets Bags ◮ Identify resources your Prefix Maps machines use regularly Unix Scripting Visualization Most routers can generate Basic Graphs Excel flows Gnuplot Advanced Graphs Conclusion The Community Page 20

  7. Flow vs. IDS Introduction About Flow Unix IDS Beginning Analysis Basic SiLK Tools + Content inspection rwfilter Printing and Sorting - Presents an interpretation of raw data Tools Counting Tools Other Tools - Tuning means discarding false positive data Advanced Flow Sets Bags Prefix Maps - No content available Unix Scripting + Gives direct observations Visualization Basic Graphs + No tuning, keep everything Excel Gnuplot Advanced Graphs Conclusion The Community Page 21

  8. Flow vs. Firewall Introduction About Flow Unix Firewalls Beginning Analysis Basic SiLK Tools + Block unwanted traffic rwfilter Printing and Sorting Tools - Not intended as a historial record; logging is Counting Tools Other Tools secondary Advanced Flow Sets Bags Prefix Maps - Completely passive Unix Scripting + Logging is primary Visualization Basic Graphs + Audits the firewall Excel Gnuplot Advanced Graphs Conclusion The Community Page 22

  9. Got a question? Flow can help. Introduction About Flow ◮ What’s on my network? Unix Beginning Analysis ◮ What happened before the event? Basic SiLK Tools rwfilter ◮ Where are policy violations occurring? Printing and Sorting Tools Counting Tools ◮ What are the most popular web sites? Other Tools Advanced ◮ How much volume would be reduced with a blacklist? Sets Bags ◮ Do my users browse to known infected web servers? Prefix Maps Unix Scripting ◮ Do I have a spammer on my network? Visualization ◮ When did my web server stop responding to queries? Basic Graphs Excel Gnuplot ◮ Who uses my public DNS server? Advanced Graphs Conclusion The Community Page 23

  10. About ssh Introduction About ◮ ssh creates a secured connection between your Flow Unix computer and the ssh server Beginning Analysis Basic SiLK Tools ◮ ssh is your primary tool for moving things between rwfilter Printing and Sorting you and your analysis server Tools Counting Tools Other Tools Advanced Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 24

  11. Try It #1! Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Login Printing and Sorting Tools Check for access to data ( ls /data ) Counting Tools Other Tools Type “ which rwfilter ” Advanced Sets Type “ rwfilter --help | more ” Bags Logout (optional) Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 25

  12. Try It #2! Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Move a file from the server to your workstation: Printing and Sorting Tools scp server:/remote/path/to/file.ext Counting Tools Other Tools /local/directory/ Advanced Sets Move a file from your workstation to the server: Bags Prefix Maps scp /local/file.ext server:/remote/directory/ Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 26

  13. Text Editors Introduction About Flow Unix Beginning Analysis Write only: echo "blah" > file Basic SiLK Tools Simple: vi rwfilter Printing and Sorting Flexible but not always available: emacs Tools Counting Tools Other simple text file tools Other Tools Advanced ◮ cat : print it out Sets Bags ◮ more , less : print it out one page at a time Prefix Maps Unix Scripting ◮ head , tail : print out just the beginning (or end) Visualization ◮ wc -l : count the number of lines Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 27

  14. Getting around Introduction About Flow Unix Beginning Analysis Some other commands you may need: Basic SiLK Tools rwfilter ◮ cd : change directory Printing and Sorting Tools ◮ ls : list the current directory contents Counting Tools Other Tools ◮ mkdir : make a directory Advanced Sets ◮ rm : remove a file Bags Prefix Maps ◮ cp : copy a file Unix Scripting Visualization ◮ logout or exit : log out Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 28

  15. Try It #3! Introduction About Flow Unix Beginning Analysis Basic SiLK Tools 1. Create a sample file on the server. rwfilter Printing and Sorting Tools 2. Move the file from the server to your local machine, Counting Tools Other Tools and open it in the local text editor. Change the file Advanced and move it back to the server. Sets Bags Prefix Maps 3. Use head and tail to display the second line of a file Unix Scripting which contains 5 lines. Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 29

  16. Where’s the GUI command prompt? Introduction About Flow Unix Beginning Analysis Basic SiLK Tools ◮ It’s not quite the same as Windows: rwfilter Printing and Sorting Tools ◮ You’ll always be working from a command prompt Counting Tools Other Tools ◮ We’ll be doing lots of text manipulation Advanced Sets ◮ There’s occasional CR-LF messiness Bags Prefix Maps ◮ Data can get big, but that’s usually OK Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 30

  17. Get used to using pipes Introduction About Flow Unix Beginning Analysis Basic SiLK Tools ◮ Pass output from one command as input to another rwfilter Printing and Sorting ◮ Stop things with ctrl+c Tools Counting Tools Other Tools ◮ Also watch out for ctrl+s (suspend), restart with Advanced ctrl+q Sets Bags ◮ Also watch out for ctrl+z (put in background), Prefix Maps Unix Scripting continue with fg Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 31

  18. About SiLK Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter ◮ The System for internet Level Knowledge Printing and Sorting Tools Counting Tools ◮ http://tools.netsa.cert.org Other Tools ◮ Packing System Advanced Sets ◮ Accepts Netflow Bags Prefix Maps ◮ Stores data in a very space-efficient binary flat file Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 32

  19. Analysis Suite Introduction About Flow Unix Beginning Analysis ◮ Used to query binary flat files from the packing Basic SiLK Tools rwfilter system Printing and Sorting Tools Counting Tools ◮ Some mirror Unix text tools for operate on binary Other Tools flow files e.g., cut, uniq, sort, split Advanced Sets ◮ Some work with large IP data collections sets, bags Bags Prefix Maps and prefix maps Unix Scripting ◮ All support ad-hoc analysis needs Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 33

  20. What SiLK Does Introduction About ◮ Optimized for extremely large data collections Flow Unix ◮ Very compact record format Beginning Analysis Basic SiLK Tools ◮ Large amount of history can stay on line rwfilter Printing and Sorting ◮ Command line interface Tools Counting Tools Other Tools ◮ Keep data in the native binary format as long as Advanced possible Sets Bags ◮ Retrospective analysis Prefix Maps Unix Scripting ◮ Most useful for analyzing past network events Visualization Basic Graphs ◮ May feed an automated report generator Excel Gnuplot ◮ Good for forensics (what happened before the Advanced Graphs Conclusion incident?) The Community Page 34

  21. Flavoring your Flows Introduction About Flow Unix Beginning Analysis Without content data, flows often seem very bland Basic SiLK Tools rwfilter SiLK flavors flow data with add-ons: Printing and Sorting Tools ◮ Address sets e.g., blacklists Counting Tools Other Tools ◮ Address Bags give a value to an address Advanced Sets ◮ Prefix Maps give an arbitrary label to a group of Bags Prefix Maps addresses e.g., Country Code Mapping Unix Scripting ◮ Hooks for custom libraries Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 35

  22. About Classes and Types Introduction SiLK assigns each flow record a CLASS and a TYPE About Flow Class Unix Beginning Analysis ◮ Duplicates the purpose of the router Basic SiLK Tools rwfilter ◮ Sample classes might be Border, Internal, Customer Printing and Sorting Tools Counting Tools ◮ We will simply use “All” Other Tools Advanced Type Sets Bags ◮ Separate inbound from outbound Prefix Maps Unix Scripting ◮ Queries often run against a single type to improve Visualization performance Basic Graphs Excel ◮ Other types are common also Gnuplot Advanced Graphs ◮ in, inweb, out, outweb, null Conclusion The Community Page 36

  23. The Flow Repository The Repository: a directory structure holding binary flow Introduction About files Flow Unix Directory structure based on: Beginning Analysis Basic SiLK Tools ◮ Sensor rwfilter Printing and Sorting ◮ Type Tools Counting Tools ◮ Year Other Tools Advanced ◮ Month Sets Bags ◮ Day Prefix Maps Unix Scripting File name based on: Visualization Basic Graphs ◮ Type Excel Gnuplot ◮ Sensor Advanced Graphs Conclusion ◮ YYYYMMDD.HH The Community All times are GMT Page 37

  24. Try It #4! Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter We’re using anonymized flow in the repository at /data. Printing and Sorting Tools Counting Tools SSH in to the server and determine: Other Tools 1. Which dates is data available for? Advanced Sets Bags 2. What classes and types of data are available? Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 38

  25. The Training Repository Based on LBNL Anonymized data set Introduction About http://www.icir.org/enterprise-tracing/Overview.html Flow Unix Sensor name and date/time locates data within the Beginning Analysis repository Basic SiLK Tools rwfilter ◮ S0 – anonymized general flows Printing and Sorting Tools Counting Tools ◮ S1 – anonymized scanning flows, different Other Tools anonymization Advanced Sets ◮ Selected dates and times in 2004 and 2005 Bags Prefix Maps ◮ Avaliable data types: Unix Scripting ◮ out, outweb: source internal, destination not internal Visualization Basic Graphs ◮ in, inweb: source not internal, destination internal Excel Gnuplot Timeouts Advanced Graphs Conclusion ◮ 1800s (30 min) active timeout The Community ◮ 60s inactive timeout Page 39

  26. Dates in Sample Data Introduction About Flow Unix Beginning Analysis ◮ 2004/10/04:20-22 Basic SiLK Tools rwfilter ◮ 2004/12/15:08-23 Printing and Sorting Tools Counting Tools ◮ 2004/12/16:01-06,16-23 Other Tools ◮ 2004/12/17:00-03 Advanced Sets Bags ◮ 2005/01/06:19-23 Prefix Maps Unix Scripting ◮ 2005/01/06:00-06,10-23 Visualization ◮ 2005/01/08:00-05 Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 40

  27. Try It #5! Introduction About We’ve glossed over the nuance of how SiLK handles Flow Unix ICMP flows. Type in the following command and look at Beginning Analysis the output: Basic SiLK Tools rwfilter Printing and Sorting Tools rwfilter --type=in --start-date=2004/10/04 \ Counting Tools Other Tools --protocol=1 --max-pass-records=10 \ Advanced --pass-destination=stdout \ Sets Bags | rwcut --fields=sip,sport,dip,dport,icmptypecode Prefix Maps Unix Scripting Visualization 1. How does SiLK store ICMP type and code Basic Graphs Excel information? Gnuplot Advanced Graphs 2. What did this command actually do? Conclusion The Community Page 41

  28. Introduction About Flow Unix Beginning Analysis What have we done so far? Basic SiLK Tools rwfilter ◮ An Introduction to Flow Printing and Sorting Tools Counting Tools ◮ A Brief Discussion of Unix Other Tools Advanced ◮ A Flow Analysis Teaser Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 42

  29. Section Outline Introduction About Flow Unix Beginning Analysis Basic SiLK Tools Basic SiLK Tools rwfilter Printing and Sorting Tools ◮ rwfilter Counting Tools Other Tools ◮ Printing and Sorting Tools Advanced Sets ◮ Counting Tools Bags Prefix Maps ◮ Other Tools Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 43

  30. So much to do, so little time... Introduction About Flow Unix Beginning Analysis We can’t discuss all parameters for every tool Resources Basic SiLK Tools rwfilter ◮ Analyst’s handbook Printing and Sorting Tools Counting Tools ◮ SiLK Reference Guide (hardcopy man pages) Other Tools Advanced ◮ rw[something] --help Sets Bags ◮ man rw[something] Prefix Maps Unix Scripting ◮ http://tools.netsa.cert.org Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 44

  31. rwfilter Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Printing and Sorting Tools Counting Tools Other Tools Advanced Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 45

  32. rwfilter Command Structure Introduction About Flow Unix Beginning Analysis ◮ Most of the time: any order of parameters Basic SiLK Tools rwfilter ◮ Parameters may be abbreviated to unique prefix Printing and Sorting Tools Counting Tools ◮ Five different groups of parameters: Other Tools ◮ Input – file, repository, pipe Advanced Sets ◮ Selection – which part of repositiory Bags ◮ Partitioning – which flows among the selected Prefix Maps Unix Scripting ◮ Output – going where (pipe, file) Visualization ◮ Other – IP version, filter statistics, etc. Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 46

  33. rwfilter Command Flow Introduction About Flow Unix --class INPUT Beginning Analysis --type PARAMETERS --sensor PIPE --print-filenames --flowtypes Basic SiLK Tools rwfilter FILE Printing and Sorting PARTITIONING Tools PARAMETERS Counting Tools SELECTION Other Tools PARAMETERS Advanced OUTPUT Sets REPOSITORY PARAMETERS Bags PIPE Prefix Maps Unix Scripting FILE Visualization OTHER PARAMETERS Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 47

  34. rwfilter Requirements Each rwfilter call must have: Introduction ◮ Somewhere to get records from: About Flow ◮ File name Unix Beginning Analysis ◮ --input-pipe=stdin or other pipe Basic SiLK Tools ◮ Repository (default or rwfilter --data-rootdir=./myarchive ) with selection Printing and Sorting Tools Counting Tools parameters (type, sensor, start-date, end-date, class) Other Tools ◮ Some description of what records are wanted Advanced Sets (partitioning parameters) Bags Prefix Maps ◮ Some description of where records should go: Unix Scripting ◮ --pass=myfile.rw Visualization ◮ --fail=stdout Basic Graphs Excel ◮ --print-statistics Gnuplot Advanced Graphs rwfilter --start-date=2008/12/05:00 \ Conclusion --end-date=2008/12/05:03 --type=all \ The Community --protocol=6 --packets=1-3 --pass=dec05.rw Page 48

  35. Selection Parameters Introduction About These options control access to repository files Flow Unix Beginning Analysis ◮ --start-date=2007/10/03:00 Basic SiLK Tools ◮ --end-date=2007/10/03T03 rwfilter Printing and Sorting Tools ◮ --sensor=S0 Counting Tools Other Tools ◮ --class=all Advanced Sets ◮ --type=in Bags Prefix Maps Unix Scripting Alternatively, use a pipe or a file Visualization ◮ --input-pipe=stdin – Useful for chaining filters Basic Graphs Excel through stdin/stdout Gnuplot Advanced Graphs ◮ myfile.rw – Useful for filtering previous results Conclusion The Community Page 49

  36. Partitioning Parameters Partioning is the most complex Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Flow Record Fields Printing and Sorting IP Sets Tools Counting Tools User pmaps and Country Codes Other Tools Tuples Advanced Dynamic Libs Sets PySiLK Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel ◮ Partitioning parameters form an “and” expression Gnuplot Advanced Graphs ◮ Too few parameters means too much output Conclusion ◮ Can refine partitioning with another rwfilter call The Community ◮ Some of these are beyond the scope of this course Page 50

  37. Flow partitioning parameters: Record Fields Introduction Pass records based on flow record fields; one is required About Flow ◮ --[not-]saddress, --[not-]daddress : Wildcard Unix Beginning Analysis like 12.5,7,9.2-250.x Basic SiLK Tools rwfilter ◮ --protocol : IP protocol Printing and Sorting Tools ◮ --sport, --dport, --aport TCP, UDP ports Counting Tools Other Tools (caveat: ICMP) Advanced Sets Bags ◮ Prefix Maps --tcp-flags=SF; --flags-all=S/SA; --fin-flag ;... Unix Scripting ◮ --icmp-type; --icmp-code Visualization Basic Graphs ◮ --bytes, --packets, --bytes-per-packet Excel Gnuplot Advanced Graphs At least one partitioning parameter is required Conclusion ◮ Use --proto=0- to pass all The Community Page 51

  38. Flow partitioning parameters: Flow Record Time Introduction About Flow Unix start-date, end-date choose repository files, but do not Beginning Analysis look at the actual flow records Basic SiLK Tools rwfilter Printing and Sorting ◮ --stime , --etime : choose flows that start (or end) Tools Counting Tools within a time range Other Tools Advanced ◮ --active-time : flows active in a time range Sets Bags ◮ Time format: YYYY/MM/DD:HH:MM:SS Prefix Maps Unix Scripting ◮ Time range format: [Time]-[Time] Visualization Basic Graphs Duration Excel Gnuplot Advanced Graphs ◮ --duration=1-10 : number of seconds the flow was Conclusion active The Community Page 52

  39. Flow partitioning Parameters: Flags Introduction About Flow Unix Beginning Analysis Basic SiLK Tools ◮ --tcp-flags=[FSRPAUEC] rwfilter Printing and Sorting Tools ◮ --fin-flag, --syn-flag , etc. Counting Tools Other Tools ◮ --flags-all=[FSRPAUEC]/[FSRPAUEC] Advanced Sets ◮ --flags-initial=[FSRPAUEC]/[FSRPAUEC] Bags Prefix Maps ◮ --flags-session=[FSRPAUEC]/[FSRPAUEC] Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 53

  40. Flow partitioning Parameters: Advanced Introduction About Flow Some of these will be discussed later: Unix Beginning Analysis ◮ --max-pass : limit the number of records passed Basic SiLK Tools rwfilter ◮ --sipset , --dipset , etc: limit to specfici IP Printing and Sorting Tools Counting Tools addresses Other Tools ◮ --ipport : IP/port pairs Advanced Sets Bags ◮ --pmap ; prefix map Prefix Maps Unix Scripting ◮ --dynamic-library : dynamically loaded library Visualization ◮ --scc , --dcc : country codes Basic Graphs Excel ◮ compression Gnuplot Advanced Graphs Conclusion The Community Page 54

  41. Output Parameters Introduction About Flow rwfilter leaves the flows in binary(compact) form Unix Beginning Analysis ◮ --pass , --fail : direct the flows to a file or pipe Basic SiLK Tools rwfilter ◮ --all : destination for everything pulled from the Printing and Sorting Tools Counting Tools repository Other Tools Advanced ◮ One output is required but more than one can be Sets used Bags Prefix Maps Unix Scripting Other useful output: Visualization ◮ --print-statistics Basic Graphs Excel ◮ --print-volume-statistics Gnuplot Advanced Graphs Conclusion The Community Page 55

  42. Other Parameters Introduction About Flow Unix ◮ --dry-run : test the command (useful for scripting) Beginning Analysis Basic SiLK Tools ◮ --ipversion=6 : process IPv6 data rwfilter Printing and Sorting Tools ◮ --print-filenames : print files from which flow Counting Tools Other Tools records came Advanced ◮ --help : print condensed help text Sets Bags Prefix Maps ◮ --man : print manual page Unix Scripting ◮ --version : print configuration info Visualization Basic Graphs ◮ --threads : parallelize rwfilter run Excel Gnuplot Advanced Graphs Conclusion The Community Page 56

  43. Try It #6! Introduction About Flow Unix The time to run an initial query against the repository Beginning Analysis Basic SiLK Tools often depends on the number of files which will be rwfilter accessed. How many files in the repository will be opened Printing and Sorting Tools Counting Tools with this command? Other Tools Advanced Sets rwfilter --sensor=s0 \ Bags --start-date=2004/12/15:19 Prefix Maps Unix Scripting Visualization (note: you have to add extra parameters to this command Basic Graphs Excel to make it work) Gnuplot Advanced Graphs Conclusion The Community Page 57

  44. Try It #7! Introduction About Flow Unix Beginning Analysis Often you will want to track an individual address or Basic SiLK Tools address block. Develop a filter command to retrieve: rwfilter Printing and Sorting ◮ Flows to the 131.243.10.0/24 CIDR block, Tools Counting Tools Other Tools ◮ Leaving our network, Advanced ◮ On 12/16/2004 at 17:00 GMT, Sets Bags Prefix Maps ◮ And save the flows in the file netblock.rw . Unix Scripting How many packets, bytes and flows were retrieved? Visualization Basic Graphs How many packets, bytes, and flows were retrieved? Excel Gnuplot Advanced Graphs Conclusion The Community Page 58

  45. Try It #8! Introduction About Let’s look for short, bursty outbound ssh traffic. Develop Flow Unix a filter command that does the following: Beginning Analysis Basic SiLK Tools ◮ Pulls out all outbound ssh (TCP port 22) flows, rwfilter Printing and Sorting Tools ◮ On 12/17/2004, Counting Tools Other Tools ◮ Between 00:00 and 04:00 GMT, Advanced Sets ◮ That lasted less than 60 seconds, Bags Prefix Maps ◮ With an average of more than 60 bytes per packet, Unix Scripting ◮ And store the result in a file named short-ssh.raw Visualization Basic Graphs Excel How many records did you retrieve? How many files in Gnuplot Advanced Graphs the repository were opened? Conclusion The Community Page 59

  46. Try It #9! Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Printing and Sorting Tools Examine traffic trends. What is the change in mail traffic Counting Tools Other Tools volume between 19:00 and 20:00 hours on 12/15/2004 for Advanced the mail server at 128.3.26.249? Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 60

  47. Chaining filters It is often very efficient to chain rwfilter Introduction commands together About Flow Unix ◮ Use --pass and --fail to Beginning Analysis segregate bins Basic SiLK Tools rwfilter ◮ Use --all so you only pull from the Printing and Sorting Tools Counting Tools repository once Other Tools Advanced Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 61

  48. What Is This #8 Introduction About Flow Unix rwfilter \ Beginning Analysis Basic SiLK Tools --start-date=2007/09/30 \ rwfilter --type=outweb \ Printing and Sorting Tools Counting Tools --bytes=100000- \ Other Tools --pass=stdout \ Advanced Sets | rwfilter \ Bags Prefix Maps --input-pipe=stdin \ Unix Scripting --duration=60- \ Visualization --pass=long-http.rw \ Basic Graphs Excel --fail=short-http.rw Gnuplot Advanced Graphs Conclusion The Community Page 62

  49. Try It #10! Introduction About Flow Unix Beginning Analysis Let’s revisit the last example for some more analysis. For Basic SiLK Tools rwfilter the mail server at 128.3.26.249, and looking only at Printing and Sorting Tools outbound traffic for the 19:00 hour on 12/15/2004, use a Counting Tools Other Tools single command to find out both: Advanced Sets ◮ The total number of SMTP flows (TCP port 25), and Bags Prefix Maps ◮ The number of flows which were for outbound Unix Scripting messages Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 63

  50. Common rwfilter Typos Introduction About Flow ◮ --port or --destport : not an option name Unix Beginning Analysis ◮ --saddress=file : pointing to a filename; should be Basic SiLK Tools rwfilter an IP Printing and Sorting Tools ◮ --sip=10.1.2.3 : sip specifies an IPSet; use saddr Counting Tools Other Tools for addresses Advanced Sets ◮ --start=2005/11/04:06:00:00 start-date and end Bags Prefix Maps date use only down to the hour Unix Scripting ◮ ---start-date : should be only two dashes Visualization Basic Graphs ◮ -- start=2007/05/22 : no space between -- and the Excel Gnuplot option Advanced Graphs Conclusion The Community Page 64

  51. But I can’t read binary... Introduction About rwcut provides a way to display binary records as Flow Unix human-readable ASCII Beginning Analysis Basic SiLK Tools ◮ Useful for printing flows to the screen rwfilter Printing and Sorting ◮ Useful for input to text processing tools Tools Counting Tools Other Tools ◮ You’ll usually only need the --fields argument Advanced Sets sip packets sval flags application Bags Prefix Maps dip bytes dval initialflags icmptypecode Unix Scripting sport Sensor in, out sessionflags attributes Visualization Basic Graphs dport scc dur dur+msec type Excel protocol dcc stime stime+msec stype Gnuplot Advanced Graphs class nhip etime etime+msec dtype Conclusion The Community Page 65

  52. Pretty Printing SiLK Output Introduction Default output is fixed-width pipe delimited data About Flow Unix Beginning Analysis sIP| dIP|pro|pkts|bytes| Basic SiLK Tools 207.240.215.71| 128.3.48.203| 1| 1| 60| rwfilter Printing and Sorting 207.240.215.71| 128.3.48.68| 1| 1| 60| Tools Counting Tools 207.240.215.71| 128.3.48.71| 1| 1| 60| Other Tools Advanced Sets Tools with text output have these formatting options Bags Prefix Maps ◮ --no-titles : suppress the first row Unix Scripting Visualization ◮ --no-columns : suppress the spaces Basic Graphs Excel ◮ --delimited ; --column-separator Gnuplot Advanced Graphs ◮ --legacy-timestamps : better for import to Excel Conclusion The Community Page 66

  53. Try It #11! Introduction About Flow Unix Create a file ssh.rw that contains all outbound SSH flows Beginning Analysis from 12/16/2004:17. Experiment with rwcut and Unix Basic SiLK Tools rwfilter text tools to try and sort out records: Printing and Sorting Tools Counting Tools 1. Can you tell which flows are from internal SSH Other Tools servers, and which are from external SSH servers? Advanced Sets Bags 2. Which flows look like SSH keep-alives? Prefix Maps Unix Scripting 3. Which flows had the most data transfer? Visualization Try to write rwfilter commands against ssh.rw to query Basic Graphs Excel these records, and display them with rwcut Gnuplot Advanced Graphs Conclusion The Community Page 67

  54. rwsort Introduction About Flow Why sort flow records? Unix Beginning Analysis ◮ Records are recorded as received, not in time order Basic SiLK Tools rwfilter (look at records from the last exercise) Printing and Sorting Tools ◮ Analysis often requires finding outliers Counting Tools Other Tools rwsort options Advanced Sets ◮ fields (same as rwcut) is required Bags Prefix Maps ◮ in, out (stdin / stdout are defaults) Unix Scripting Visualization ◮ For improved sorts, specify a buffer size Basic Graphs Excel ◮ For large sorts, specify a temporary directory Gnuplot Advanced Graphs Conclusion The Community Page 68

  55. I only believe what I see Introduction About Flow Unix Beginning Analysis Basic SiLK Tools You’ll be tempted to work with text-based records rwfilter Printing and Sorting ◮ It’s easy to see the results and postprocess with other Tools Counting Tools Other Tools tools (e.g., perl) Advanced ◮ It takes a lot of space, and it’s much, much slower Sets Bags Prefix Maps Guiding Principle: Keep flows in binary format as long as Unix Scripting possible Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 69

  56. Try It #12! Introduction About Flow Unix Beginning Analysis Often HTTP beaconing consists of very small HTTP Basic SiLK Tools requests. Let’s get a feel for what HTTP data looks like, rwfilter Printing and Sorting even before we start to find these beacons. Tools Counting Tools What do the smallest outbound HTTP web client flows Other Tools look like on 12/15/2004? Advanced Sets Bags ◮ First, find them using rwsort Prefix Maps Unix Scripting ◮ Second, find them using sort Visualization ◮ Which was faster? Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 70

  57. Counting Tools Introduction About Flow Unix Beginning Analysis Basic SiLK Tools The suite contains several counting tools: rwfilter Printing and Sorting Tools ◮ rwcount - count across time Counting Tools Other Tools ◮ rwaddrcount - count across addresses Advanced Sets ◮ rwuniq - count on arbitrary field combinations Bags Prefix Maps ◮ rwstats - descriptive statistics and counts Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 71

  58. rwcount Introduction About Flow Unix Beginning Analysis Basic counting: Basic SiLK Tools rwfilter Printing and Sorting ◮ rwcount myfile.rw > count_file Tools Counting Tools ◮ Produces byte, packet and flow totals by time Other Tools Advanced Sets Common Options: Bags Prefix Maps ◮ --bin-size : changes the size of each bin (in seconds) Unix Scripting ◮ --skip-zeroes : should empty bins be printed? Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 72

  59. rwaddrcount Introduction About Flow Basic counting: Unix Beginning Analysis ◮ rwaddrcount --[print-option] myfile.rw Basic SiLK Tools rwfilter Printing and Sorting ◮ --use-dest to work with dIP; default is sIP Tools Counting Tools Other Tools Print Options: Advanced ◮ --print-stat : Lists total number of addresses found Sets Bags Prefix Maps ◮ --print-ips : Just print out the IP address, nothing Unix Scripting else Visualization Basic Graphs ◮ --print-recs : Lists bytes, packets, records, times Excel Gnuplot for each address Advanced Graphs Conclusion The Community Page 73

  60. rwstats Introduction About Great for generating top-N, bottom-N lists Flow Unix Group by (choose one or two): Beginning Analysis Basic SiLK Tools ◮ Addresses rwfilter Printing and Sorting ◮ Ports Tools Counting Tools Other Tools ◮ Protocols Advanced Sets Output Limit Bags Prefix Maps ◮ Count Unix Scripting ◮ Top, Bottom Visualization Basic Graphs ◮ Threshold (specific value range) Excel Gnuplot Advanced Graphs ◮ Percentage Conclusion The Community Page 74

  61. rwuniq Introduction About Flow Unix The more general case for rwstats Beginning Analysis Basic SiLK Tools Mirrors the unix “uniq -c” command rwfilter Printing and Sorting ◮ Creates a giant hash table where you define the key Tools Counting Tools ◮ Memory is expensive, so we can’t uniq everything Other Tools Advanced Common Options: Sets Bags Prefix Maps ◮ --fields : same as cutting and sorting Unix Scripting ◮ --all-counts : collect bytes, packets and flows Visualization Basic Graphs ◮ --bin-time : size the bins when uniq’ing on time Excel Gnuplot Advanced Graphs Conclusion The Community Page 75

  62. Try It #13! Introduction About Flow Unix Find scans traffic in the sample data (while the Beginning Analysis Basic SiLK Tools anonymizer removed some of the simple scans, they didn’t rwfilter find them all). When you find one, answer the following Printing and Sorting Tools Counting Tools questions: Other Tools Advanced ◮ What type of scan was it? Sets Bags ◮ When did it start/end? Prefix Maps Unix Scripting ◮ How fast was it? Visualization ◮ What did the scanner discover? Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 76

  63. Try It #14! Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Printing and Sorting This example showcases the very useful --dip-distinct Tools Counting Tools feature of rwuniq: Other Tools Advanced For 2004/12/15, how many clients connected to the Sets highest volume web servers? Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 77

  64. Oops...I forgot where this came from... Introduction About Flow Unix Beginning Analysis rwfileinfo Basic SiLK Tools ◮ Each SiLK file (flows, sets, bags, prefix maps, etc.) rwfilter Printing and Sorting has a header which logs data Tools Counting Tools Other Tools ◮ rwfileinfo prints out that data Advanced ◮ For flow files, it also (usually) keeps a history of the Sets Bags commands used to generate the file Prefix Maps Unix Scripting Try It! Visualization Basic Graphs ◮ rwfileinfo *.rw Excel Gnuplot Advanced Graphs Conclusion The Community Page 78

  65. When the files are LARGE Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwcat rwfilter ◮ Send a binary rw file to stdout Printing and Sorting Tools Counting Tools rwappend Other Tools Advanced ◮ Join multiple files together Sets Bags rwsplit Prefix Maps Unix Scripting ◮ Carve large files into pieces Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 79

  66. How long will this really take? Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter rwfglob Printing and Sorting Tools Counting Tools ◮ Find out which files will be pulled from the repository Other Tools Advanced ◮ Find out whats available and whats missing Sets Bags ◮ Use the output in other file-processing scripts Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 80

  67. Maintain anonymity Introduction About Flow Unix Beginning Analysis rwnetmask Basic SiLK Tools rwfilter ◮ Mask off low order bits of source and/or destination Printing and Sorting Tools addresses Counting Tools Other Tools rwrandomizeip Advanced Sets ◮ Randomly replace source and destination addresses Bags Prefix Maps rwtuc Unix Scripting ◮ Change text flow data into binary (opposite of rwcut) Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 81

  68. Who was that? Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter rwresolve Printing and Sorting Tools Counting Tools ◮ Perform a DNS lookup on text output Other Tools Advanced ◮ Caveat: it uses your analysis host’s DNS resolver Sets Bags ◮ Caveat: DNS is subject to change Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 82

  69. What have we done so far? Introduction About Flow Unix Beginning Analysis Basic SiLK Tools Basic SiLK Tools rwfilter Printing and Sorting Tools ◮ rwfilter Counting Tools Other Tools ◮ Printing and Sorting Tools Advanced Sets ◮ Counting Tools Bags Prefix Maps ◮ Other Tools Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 83

  70. Section Outline Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Advanced SiLK Tools Printing and Sorting Tools Counting Tools ◮ Sets Other Tools Advanced ◮ Bags Sets Bags ◮ Prefix Maps Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 84

  71. Blacklists, Whitelists, Books of Lists... Introduction About Too many addresses for the command line? Flow Unix ◮ Spam block list Beginning Analysis Basic SiLK Tools ◮ Malicious web sites rwfilter Printing and Sorting Tools ◮ Arbitrary list of any type of addresses Counting Tools Other Tools Create an IP set! Advanced Sets ◮ Individual IP address in dotted decimal or integer Bags Prefix Maps ◮ CIDR blocks, 192.168.0.0/16 Unix Scripting ◮ Wildcards, 10.4,6.x.2-254 Visualization Basic Graphs Excel Use it directly within your filter commands Gnuplot Advanced Graphs ◮ --sip , --dip , --anyset Conclusion The Community Page 85

  72. Set Tools Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwset : create sets from binary flows rwfilter Printing and Sorting rwsetbuild : create sets from text Tools Counting Tools Other Tools rwsetcat : print out an IP set into text ( very useful ) Advanced rwsetmember : test if IP is in given IP sets Sets Bags rwsettool : perform set algebra (set, union, intersection) Prefix Maps on multiple IP sets Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 86

  73. Try It #15! Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Printing and Sorting Tools Flow is also very useful for creating network inventories. Counting Tools Other Tools What /24 net blocks are populated within my network? Advanced Which block has the densest population? Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 87

  74. Other uses of IP Sets Introduction About Flow Unix Beginning Analysis Basic SiLK Tools Perform set arithmetic on IP data rwfilter Printing and Sorting Tools ◮ What addresses on my spam blacklist are also bot Counting Tools Other Tools infected? Advanced Sets Randomly select items for sampling Bags Prefix Maps ◮ rwsettool --sample --size=100 Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 88

  75. Bags: sets with attitude Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Bags are generally IPSets with an associated integer Printing and Sorting Tools ◮ Usually a count or sum Counting Tools Other Tools ◮ Could also be ports or protocols Advanced Sets Bags can make sets Bags Prefix Maps Math operations can be performed on bags Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 89

  76. Try It #16! Let’s look for DNS clients that are using an external DNS Introduction About resolver. Flow Unix ◮ First, let’s take a moment to review DNS: Beginning Analysis Basic SiLK Tools ◮ When a client wants an address, it asks its local DNS rwfilter Printing and Sorting server Tools Counting Tools Other Tools ◮ The local DNS server does all the work Advanced Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 90

  77. Try It #16!(2) The Local DNS Server should be local Introduction ◮ Can be assigned manually or by DHCP About Flow Unix ◮ Up to three can be assigned, but often only one is Beginning Analysis used Basic SiLK Tools rwfilter Printing and Sorting Tools Counting Tools Other Tools Advanced Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 91

  78. Try It #16!(3) Once again, let’s look for DNS clients that are using an Introduction About external DNS resolver: Flow Unix ◮ Use bags to count the number of outbound DNS Beginning Analysis Basic SiLK Tools connections per address, rwfilter ◮ Create a candidate set from that bag of addresses Printing and Sorting Tools Counting Tools with more than 100 outbound flows, and Other Tools Advanced ◮ Find the number of unique destination addresses for Sets Bags the candidates. Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 92

  79. Prefix Maps(pmaps): sets with bling Assign an arbitrary label to address prefixes Introduction ◮ Start with a text file of IP ranges and labels About Flow ◮ Order from least to most specific Unix Beginning Analysis ◮ Compile the text file with rwpmapbuild Basic SiLK Tools rwfilter ◮ Print out the pmap with rwpmapcat Printing and Sorting Tools Counting Tools The input file: Other Tools Advanced Sets 10.0.0.0/8 Private Unassigned Bags Prefix Maps 192.168.0.0/16 Private Unassigned Unix Scripting 172.16.0.0/12 Private Unassigned Visualization 10.0.1.100 10.0.1.200 Workstation DHCP Basic Graphs Excel 10.0.1.1 10.0.1.50 Servers Gnuplot Advanced Graphs 10.0.2.1 10.0.2.50 Servers Conclusion 10.0.3.1 10.0.3.50 DMZ Servers The Community No other pmap tools (?!?) Page 93

  80. Using pmaps Introduction About Flow pmaps don’t have their own tools, they fit in with existing Unix Beginning Analysis tools Basic SiLK Tools rwfilter ◮ rwfilter Printing and Sorting Tools Counting Tools ◮ rwsort Other Tools ◮ rwcut Advanced Sets Bags ◮ rwuniq Prefix Maps Unix Scripting This allows you to add your own fields to flow Visualization ◮ Query all your servers: Basic Graphs Excel rwfilter --sval="Servers","DMZ Servers" Gnuplot Advanced Graphs Conclusion The Community Page 94

  81. Port-based pmaps Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Printing and Sorting It’s also possible to create prefix maps based on ports. Tools Counting Tools Other Tools ◮ Useful for well-known service ports; e.g., IRC, HTTP Advanced ◮ Also useful for ICMP Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 95

  82. Try It #17! Introduction About Flow Unix Beginning Analysis Create an ICMP prefix map from the ICMP types (or Basic SiLK Tools types and codes). rwfilter Printing and Sorting Tools ◮ Look at unassigned ICMP type/code values that are Counting Tools Other Tools in use. Which ICMP types receive the most traffic? Advanced ◮ Note: ICMP type/code values are assigned by Sets Bags RFC792; a summary table is available from IANA at Prefix Maps Unix Scripting http: Visualization //www.iana.org/assignments/icmp-parameters Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 96

  83. Are we there yet? Introduction About Flow Unix Beginning Analysis Basic SiLK Tools Advanced SiLK Tools rwfilter Printing and Sorting ◮ Splitting and merging Tools Counting Tools ◮ Sets Other Tools Advanced ◮ Bags Sets Bags ◮ Prefix Maps Prefix Maps Unix Scripting More reliance on examples to demonstrate these concepts Visualization Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 97

  84. Scripting Introduction About Flow Unix Why script? Beginning Analysis ◮ Repeatable analyses Basic SiLK Tools rwfilter ◮ Encapsulating syntax Printing and Sorting Tools Counting Tools ◮ Composing complex commands Other Tools Advanced How to script? Sets Bags ◮ Shell scripting (we’ll use bash) Prefix Maps Unix Scripting ◮ Good reference: http://tldp.org/LDP/abs/html/ Visualization ◮ Python (beyond this class, but widely used) Basic Graphs Excel ◮ Good reference: http://docs.python.org/tut/ Gnuplot Advanced Graphs Conclusion The Community Page 98

  85. Getting started Introduction About Flow Unix Beginning Analysis Put your typed commands into a file Basic SiLK Tools rwfilter ◮ From our second example, ls -lR /data |grep Printing and Sorting Tools "/data" Counting Tools Other Tools Run the file Advanced Sets ◮ bash script.sh or Bags Prefix Maps ◮ sh script.sh or Unix Scripting Visualization ◮ chmod +x script.sh ; ./script.sh Basic Graphs Excel Gnuplot Advanced Graphs Conclusion The Community Page 99

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION

INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION

TRAINING COURSE ON SOCIAL PROTECTION & FORMALIZATION TRINIDAD AND TOBAGO MARCH 15, 2017 INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION Design of the NIS Assistance from the

547 views • 23 slides
INTRODUCTION Introduction 2/42 INTRODUCTION Alternations I am giving bread to the

INTRODUCTION Introduction 2/42 INTRODUCTION Alternations I am giving bread to the

Patterns of variation in the expression of case and agreement Andrs Brny Leiden University Centre for Linguistics 9 November 2019, BaSIS Workshop a.barany@hum.leidenuniv.nl INTRODUCTION Introduction 2/42 INTRODUCTION

1.37k views • 42 slides
Introduction Introduction Introduction Introduction Outline Motivation Failures

Introduction Introduction Introduction Introduction Outline Motivation Failures

Introduction Introduction Introduction Introduction Outline Motivation Failures Definition and concepts Process and product properties Principles SE Approaches Motivation Software and the economy The economies of

1.03k views • 49 slides
Introduction Introduction Introduction Nationwide Cause for Concern 1

Introduction Introduction Introduction Nationwide Cause for Concern 1

Introduction Introduction Introduction Nationwide Cause for Concern 1 https://www.cdc.gov/std/stats17/infographic.htm Introduction Epidemiology in Western Colorado CPHE Surveillance Data Report, May 2018 Chlamydia Epidemiology in Western

977 views • 39 slides
DAQ introduction Purpose of this talk : (1) Introduction for those who have not been in every

DAQ introduction Purpose of this talk : (1) Introduction for those who have not been in every

DAQ introduction Purpose of this talk : (1) Introduction for those who have not been in every meeting (2) Some ideas of diagrams for section 7.1 (Introduction) of TP. Giles Barr 25 Jan 2018, Pembroke College On DUNE, the reality is there is a

474 views • 10 slides
INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT

ADVANCED COMPUTER SECURITY INTRODUCTION cf. Schneider, Chapter 1 INTRODUCTION THEY ARE OUT TO GET YOU INTRODUCTION WHAT IS SECURITY? A systems security policies describe What the system is supposed to do Store and provide access

479 views • 16 slides
Overview Introduction to SMIL Introduction to W3C and XML Introduction to SMIL

Overview Introduction to SMIL Introduction to W3C and XML Introduction to SMIL

Overview Introduction to SMIL Introduction to W3C and XML Introduction to SMIL Writing a SMIL file Adding Media Objects Martin Halvey Clipping media files January 2008 Timing and Synchronising Layout World Wide

387 views • 14 slides
14 Introduction Introduction Bad guys can put malware into Example: hosts

14 Introduction Introduction Bad guys can put malware into Example: hosts

Introduction Introduction source Encapsulation ISO/OSI reference model message M application segment H t H t M transport network datagram H n H n H t M presentation: allow applications to frame link H l H n H t M interpret

583 views • 4 slides
Previous Lecture Introduction to SMIL 2 Introduction to W3C and XML Introduction to SMIL

Previous Lecture Introduction to SMIL 2 Introduction to W3C and XML Introduction to SMIL

Previous Lecture Introduction to SMIL 2 Introduction to W3C and XML Introduction to SMIL Writing a SMIL file Adding Media Objects Martin Halvey Clipping media files January 2008 Timing and Synchronising Layout

322 views • 8 slides
Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL

Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL

Introduction Zynq Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL Processing System Processor Peripherals Data Buses AXI Bus Conclusion BTE5380 - Embedded Systems Octobre 2014 Andreas Habegger

1.81k views • 30 slides
2018.06 01 SMILE5 Introduction S E 5 02 Alpha Cloud M I L 03 Company Introduction 04

2018.06 01 SMILE5 Introduction S E 5 02 Alpha Cloud M I L 03 Company Introduction 04

2018.06 01 SMILE5 Introduction S E 5 02 Alpha Cloud M I L 03 Company Introduction 04 Project References S E 5 PART.1 SMILE5 Introduction M I L Introduction STORION-SMILE5 Residential Energy Storage System Inverter 5kW Output Input

1.06k views • 25 slides
Introduction to CICS Course introduction Course introduction What is CICS? What is an

Introduction to CICS Course introduction Course introduction What is CICS? What is an

Introduction to CICS Course introduction Course introduction What is CICS? What is an application server? Why use an application server? Course introduction Services provided by CICS How CICS applications are defined Scaling CICS to meet

1.84k views • 146 slides
Network Visualization Introduction Presented by Shahed Introduction Introduction Basic

Network Visualization Introduction Presented by Shahed Introduction Introduction Basic

Network Visualization Introduction Presented by Shahed Introduction Introduction Basic building blocks Node Links (relationship between nodes) Spatial information Network data

584 views • 9 slides
Introduction Introduction (1) Main argument of the paper: universities are not only

Introduction Introduction (1) Main argument of the paper: universities are not only

Le jugement des pairs comme outil de management des universits Peer-review as a management tool Christine Musselin (CSO, Sciences Po et CNRS) Avril 2013, Lirrsistible ascension du capitalisme acadmique Introduction Introduction (1)

590 views • 28 slides
Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Moreno Baricevic Gilberto Daz Axel Kohlmeyer Stefano Cozzini ULA ICTP CNR-IOM DEMOCRITOS Merida, VENEZUELA Trieste, ITALY Trieste, ITALY Introduction Introduction to storage and to storage and filesystems filesystems Introduction

1.19k views • 51 slides
JABLOTRON JA-100 introduction November 2011 Introduction Todays goals First introduction of

JABLOTRON JA-100 introduction November 2011 Introduction Todays goals First introduction of

JABLOTRON JA-100 introduction November 2011 Introduction Todays goals First introduction of the brand new JA-100 alarm system Visions Basic architecture System components Setting Help us with final validations You are the FIRST ones

1.69k views • 111 slides
Reproducible Research Using Stata L. Philip Schumm Ronald A. Thisted Department of Health

Reproducible Research Using Stata L. Philip Schumm Ronald A. Thisted Department of Health

Managing Statistical Output Reproducible Research Using Stata reStructuredText Examples Reproducible Research Using Stata L. Philip Schumm Ronald A. Thisted Department of Health Studies University of Chicago July 11, 2005 Managing

500 views • 34 slides
T15 November 18, 2004 3 :00 PM T EST H ARNESSES FOR API T ESTING Michael Sonshine Intuit Inc

T15 November 18, 2004 3 :00 PM T EST H ARNESSES FOR API T ESTING Michael Sonshine Intuit Inc

BIO PRESENTATION SUPPLEMENTAL MATERIALS T15 November 18, 2004 3 :00 PM T EST H ARNESSES FOR API T ESTING Michael Sonshine Intuit Inc International Conference On Software Testing Analysis & Review November 15-19, 2004 Anaheim, CA USA

616 views • 38 slides
The need for tools A tool is a device that can be used to produce an item or achieve a task, but

The need for tools A tool is a device that can be used to produce an item or achieve a task, but

Tools for ILDG Dr Chris Maynard Application Consultant, EPCC c.maynard@ed.ac.uk +44 131 650 5077 The need for tools A tool is a device that can be used to produce an item or achieve a task, but that is not consumed in the process Wrong sort

622 views • 22 slides
A bit of background When the Urban Challenge got rolling, a software framework had to be

A bit of background When the Urban Challenge got rolling, a software framework had to be

A bit of background When the Urban Challenge got rolling, a software framework had to be chosen ModUtils from Grand Challenge/NavLab CMU IPC from everything A NIST package used over at NREC Third party packages ModUtils

629 views • 20 slides
Axib ibase Tim ime Series Database Axib ibase Tim ime Series Database Axibase Time-Series

Axib ibase Tim ime Series Database Axib ibase Tim ime Series Database Axibase Time-Series

Axib ibase Tim ime Series Database Axib ibase Tim ime Series Database Axibase Time-Series Database (ATSD) is a clustered non-relational database for the storage of various information coming out of the IT infrastructure. ATSD is specifically

739 views • 54 slides
The Swift Gamma-Ray Burst Mission -- Science and Data Analysis Hans A. Krimm CRESST / USRA /

The Swift Gamma-Ray Burst Mission -- Science and Data Analysis Hans A. Krimm CRESST / USRA /

The Swift Gamma-Ray Burst Mission -- Science and Data Analysis Hans A. Krimm CRESST / USRA / NASA Goddard Space Flight Center July 29, 2008 Urbino 2008: High Energy Astrophysics Summer School Outline The Swift mission

651 views • 54 slides
Tulsa Community College Library Services and Programs Assessment Plan May 15, 2018 Final

Tulsa Community College Library Services and Programs Assessment Plan May 15, 2018 Final

Tulsa Community College Library Services and Programs Assessment Plan May 15, 2018 Final Revision, August 9, 2018 Adam Brennan Amanda Ross Bob Holzmann (chair) (Jao-Ming Huang) Josh Barnes (Megan Donald) Stephanie Ingold (management

242 views • 21 slides
San Francisco Chapter San Francisco Chapter Presented by: AAA Northern California, Nevada &

San Francisco Chapter San Francisco Chapter Presented by: AAA Northern California, Nevada &

San Francisco Chapter San Francisco Chapter Presented by: AAA Northern California, Nevada & Utah Derek Koopowitz IT Audit Manager Norm Gutierrez IT Audit Specialist Infrastructure Vulnerability Assessment Infrastructure

969 views • 92 slides

More recommend