Network Analysis with isilk

Transcription

1 Network Analysis with isilk Presented at FloCon 2011 Ron Bandes CERT Network Situational Awareness (NetSA) Group 2011 Carnegie Mellon University

2 2011 Carnegie Mellon University NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at This work was created in the performance of Federal Government Contract Number FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at CERT is a registered mark owned by Carnegie Mellon University. 2

3 Overview Network Monitoring Packets and Flows Collection, Packing, Repository, and Analysis SiLK vs. isilk Live CD (OK, it s a DVD) Starting isilk and running a query Demo: Query, summarize, refine query, summarize, report Lab 3

4 What is isilk? It is a graphical front-end for SiLK, the System for Internet Level Knowledge flow analysis tool 4

5 Network Monitoring Internet Other internetwork Monitored Network 5

6 Network Monitoring Internet Other internetwork sensor sensor sensor sensor 6

7 Network Monitoring Internet Other internetwork sensor sensor SiLK repository sensor sensor 7

8 Network Monitoring Internet Other internetwork sensor sensor SiLK repository sensor sensor isilk 8

9 Packet Encapsulation Ethernet frame Dest MAC address Source MAC addr Type of packet IP datagram Src IP address Dst IP address Type of segment TCP/UDP/ICMP segment Src port Dest port Application layer message (HTTP, SMTP, DNS) 9

10 Flows

11 Some Terms SiLK: A traffic analysis tool which processes flow data. Flow: the collection of packets travelling in the same direction in a TCP or UDP connection. Flow Record: a single record containing summary information for a flow. Flow Repository: a tree structure of flat files containing flow records. 11

12 Collection, Packing, and Analysis Collection of flow data Examines packets and summarizes into standard flow records Timeout and payload-size values are established during collection Packing stores flow records in a scheme optimized for space and ease of analysis Analysis of flow data Investigation of flow records using SiLK tools 12

13 Collection tcpdump YAF IPFIX PCAP 13

14 Packing IPFIX rwflowpack SiLK SiLK repository SiLK repository repository 14

15 SiLK RootDir Repository Sensor1 Sensor2 silk.conf in inweb innull out outweb outnull year month day type-sensor_yyyymmdd.hh in-sen1_ hour 15

16 Analysis SiLK SiLK repository SiLK repository repository Raw (binary) flow records in a file SiLK tool chain Raw (binary) flow records in a file Text output 16

17 Reporting Text output UNIX text tools (sort, cut, ) Text output Visualization tools (gnuplot, Rayon, Excel) 17

18 Why use isilk? It helps me to choose SiLK tools Toolbar buttons allow quick perusal of tools It lets me avoid SiLK tool syntax Menus & other GUI elements show my choices It lets me avoid Linux command syntax and file names isilk organizes my data sets and results It has an integrated graphing capability 18

19 What won t isilk do? isilk won t replace my need to understand what s in flow data I still need to understand what patterns in flow data represent the traffic situations that I m looking for 19

20 SiLK environment Flow Repository Terminal window SiLK on Linux system 20

21 isilk environment isilk on Windows system (or Mac or Linux) SSH SiLK on Linux system Flow Repository 21

22 Setting up isilk on the Live CD Open Applications System Tools Terminal echo "export SILK_DATA_ROOTDIR=/data/SiLK-LBNL-05" >>.bashrc On the desktop, open Applications Programming isilk isilk Configuration: Remote_Host: localhost (default) Remote_Port: 22 (default) Remote_User: liveuser RSH_Key: /home/liveuser/.ssh/id_rsa Rmt_Output: isilk-output Rmt_Library: isilk-libs 22

23 First Screen Problem Sets 23

24 Main Screen 24

25 Query Builder 25

26 Query Builder more filter options 26

27 Demonstration 27

28 28

29 29

30 30

31 31

32 32

33 33

34 34

35 35

36 36

37 37

38 38

39 39

40 40

41 41

42 42

43 43

44 44

45 45

46 46

47 47

48 48

49 49

50 50

51 51

52 52

53 53

54 54

55 55

56 56

57 57

58 58

59 59

60 60

61 61

62 62

63 Labs 63

64 Questions? 64

65 Contact Information Ron Bandes, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 65