Day 17
Traffic analysis I Tawt I Taw A C2 Tat!
Learning Objectives
Gain knowledge of the network traffic data format
Understand the differences between full packet captures and network flows
Learn how to process network flow data
Discover the SiLK tool suite
Gain hands-on experience in network flow analysis with SiLK
This room is again a very straightforward one with all commands and instructions already given. We just need to follow along and run them.
Which version of SiLK is installed on the VM? Submit Hint
[REDACTED]
ubuntu@ip-10-10-191-161:~/Desktop$ silk_config -v
[REDACTD]
* Root of packed data tree: /var/silk/data
* Packing logic: Run-time plug-in
* Timezone support: UTC
* Available compression methods: lzo1x [default], none, zlib
* IPv6 network connections: yes
* IPv6 flow record support: yes
* IPset record compatibility: 3.14.0
* IPFIX/NetFlow9/sFlow collection: ipfix,netflow9,sflow
* Transport encryption: GnuTLS
* PySiLK support: /usr/local/lib/python2.7/site-packages
* Enable assert(): no
Copyright (C) 2001-2020 by Carnegie Mellon University
GNU General Public License (GPL) Rights pursuant to Version 2, June 1991.
Some included library code covered by LGPL 2.1; see source for details.
Government Purpose License Rights (GPLR) pursuant to DFARS 252.227-7013.
Send bug reports, feature requests, and comments to netsa-help@cert.org.
What is the size of the flows in the count records?
[REDACTED]
rwfileinfo suspicious-flows.silk
suspicious-flows.silk:
format(id) FT_RWIPV6ROUTING(0x0c)
version 16
byte-order littleEndian
compression(id) lzo1x(2)
header-length 88
.
.
.
file-size 152366
command-lines
1 rwipfix2silk --silk-output=test.silk
What is the start time (sTime) of the sixth record in the file?
[REDACTED]
ubuntu@ip-10-10-191-161:~/Desktop$ rwcut suspicious-flows.silk --num-recs=6
sIP|dIP|sPort|dPort|pro|packets|bytes|flags|sTime|duration|eTime|sen|
[REDACTED]What is the destination port of the sixth UDP record?
[REDACTED]
ubuntu@ip-10-10-191-161:~/Desktop$ rwcut suspicious-flows.silk --fields=protocol,sIP,sPort,dIP,dPort --num-recs=6
pro| sIP|sPort| dIP|dPort|
6|175.215.235.223| 80|175.215.236.223| 3222|
6|175.215.235.223| 80|175.215.236.223| 3220|
6|175.215.235.223| 80|175.215.236.223| 3219|
6|175.215.235.223| 80|175.215.236.223| 3218|
6|175.215.235.223| 80|175.215.236.223| 3221|
[REDACTED]What is the record value (%) of the dport 53?
[REDACTED]
rwstats suspicious-flows.silk --fields=dPort --values=records,packets,bytes,sIP-Distinct,dIP-Distinct --count=10
INPUT: 11774 Records for 5713 Bins and 11774 Total Records
OUTPUT: Top 10 Bins by Records
[REDACTED]What is the number of bytes transmitted by the top talker on the network?
[REDACTED]
buntu@ip-10-10-191-161:~/Desktop$ rwstats suspicious-flows.silk --fields=sIP --values=bytes --count=10 --top
INPUT: 11774 Records for 8 Bins and 1412597 Total Bytes
OUTPUT: Top 10 Bins by Bytes
[REDACTED]What is the sTime value of the first DNS record going to port 53?
[REDACTED]
ubuntu@ip-10-10-191-161:~/Desktop$ rwfilter suspicious-flows.silk --saddress=175.175.173.221 --dport=53 --pass=stdout | rwcut --fields=sIP,dIP,stime | head -10
INPUT: 11774 Records for 9 Bins and 11774 Total Records
OUTPUT: Top 10 Bins by Records
[REDACTED]What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )
[REDACTED]Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )
[REDACTED]What is the sent SYN packet's number of records?
[REDACTED]
ubuntu@ip-10-10-191-161:~/Desktop$ rwfilter suspicious-flows.silk --saddress=175.215.236.223 --pass=stdout | rwstats --fields=sIP,flag,dIP --count=10
[REDACTED]Last updated