Network Analysis with isilk



Similar documents
Network Monitoring for Cyber Security

Exploring the Interactions Between Network Data Analysis and Security Information/Event Management

2012 CyberSecurity Watch Survey

Merging Network Configuration and Network Traffic Data in ISP-Level Analyses

$100 SiLK Network Flow Sensor

Monitoring Trends in Network Flow for Situational Awareness

CERT Virtual Flow Collection and Analysis

How To Use Elasticsearch

Supply-Chain Risk Management Framework

VoIP in Flow A Beginning

Moving Target Reference Implementation

6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

Assurance Cases for Design Analysis of Complex System of Systems Software

Resolving Chaos Arising from Agile Software Development

Applied Detection and Analysis Using Network Flow Data

Firewall Examples. Using a firewall to control traffic in networks

Overview. CMU/SEI Cyber Innovation Center. Dynamic On-Demand High-Performance Computing System. KVM and Hypervisor Security.

Contracting Officer s Representative (COR) Interactive SharePoint Wiki

Evaluating the Quality of Software Engineering Performance Data

Network Traffic Analysis

Cisco Configuring Commonly Used IP ACLs

Ethereal: Getting Started

Getting Started with Service- Oriented Architecture (SOA) Terminology

NFSEN - Update 13th TF-CSIRT Meeting 23. September 2004 Malta Peter Haag

Packet Sniffing with Wireshark and Tcpdump

Introduction to Analyzer and the ARP protocol

SOA for Healthcare: Promises and Pitfalls

COMP416 Lab (1) Wireshark I. 23 September 2013

Architectural Implications of Cloud Computing

The Key to Successful Monitoring for Detection of Insider Attacks

Applying Software Quality Models to Software Security

A Systematic Method for Big Data Technology Selection

CMMI for SCAMPI SM Class A Appraisal Results 2011 End-Year Update

Wireshark Tutorial INTRODUCTION

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

Module 1: Reviewing the Suite of TCP/IP Protocols

Using Java to Teach Networking Concepts With a Programmable Network Sniffer

Lab Conducting a Network Capture with Wireshark

Assurance in Service-Oriented Environments

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Cyber Intelligence Workforce

UFO: Verification with Interpolants and Abstract Interpretation

Moxa Device Manager 2.3 User s Manual

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

Automated Provisioning of Cloud and Cloudlet Applications

Linux MPS Firewall Supplement

NfSen Plugin Supporting The Virtual Network Monitoring

Lab 1: Packet Sniffing and Wireshark

Cisco IOS Flexible NetFlow Command Reference

Integrate Websense Web Security Gateway (WSG)

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Wireshark Tutorial. Figure 1: Packet sniffer structure

EKT 332/4 COMPUTER NETWORK

VisuSniff: A Tool For The Visualization Of Network Traffic

User Guidance. CimTrak Integrity & Compliance Suite

Penetration Testing Tools

Arcade Game Maker Pedagogical Product Line: Marketing and Product Plan

Lecture (02) Networking Model (TCP/IP) Networking Standard (OSI) (I)

EE984 Laboratory Experiment 2: Protocol Analysis

How to Secure a Groove Manager Web Site

Department of Homeland Security Cyber Resilience Review (Case Study) Matthew Butkovic Technical Manager - Cybersecurity Assurance, CERT Division

Building Security Into Closed Network Design

OCS Training Workshop LAB14. Setup

TSM Studio Server User Guide

The Transport Layer. Antonio Carzaniga. October 24, Faculty of Informatics University of Lugano Antonio Carzaniga

Integrating Juniper Netscreen (ScreenOS)

Wireshark Lab: Assignment 1w (Optional)

[Optional] Network Visibility with NetFlow

Risk Management Framework

TYLER JUNIOR COLLEGE School of Continuing Studies 1530 SSW Loop 323 Tyler, TX

INSTALLATION GUIDE. AXIS Camera Station

LESSON Networking Fundamentals. Understand TCP/IP

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

z/os V1R11 Communications Server system management and monitoring

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

Log Insight Manager. Deployment Guide

A Study of Systems Engineering Effectiveness. Building a Business Case for Systems Engineering

Extending AADL for Security Design Assurance of the Internet of Things

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Unix System Administration

Monitoring Open VPN Access Server

6.0. Getting Started Guide

GregSowell.com. Mikrotik Security

IBM Proventia Management SiteProtector. Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.1

Monitoring Nginx Server

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

WiFiPerf User Guide 1.5

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

Network Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Quick Installation Guide For Sensors with Cacti

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Linux MDS Firewall Supplement

Monitoring SharePoint 2007/2010/2013 Server Using Event Tracker

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

ITTC Communication Networks Laboratory The University of Kansas EECS 780 Introduction to Protocol Analysis with Wireshark

Craig Pelkie Bits & Bytes Programming, Inc. craig@web400.com

Transcription:

Network Analysis with isilk Presented at FloCon 2011 Ron Bandes CERT Network Situational Awareness (NetSA) Group 2011 Carnegie Mellon University

2011 Carnegie Mellon University NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. CERT is a registered mark owned by Carnegie Mellon University. 2

Overview Network Monitoring Packets and Flows Collection, Packing, Repository, and Analysis SiLK vs. isilk Live CD (OK, it s a DVD) Starting isilk and running a query Demo: Query, summarize, refine query, summarize, report Lab 3

What is isilk? It is a graphical front-end for SiLK, the System for Internet Level Knowledge flow analysis tool 4

Network Monitoring Internet Other internetwork Monitored Network 5

Network Monitoring Internet Other internetwork sensor sensor sensor sensor 6

Network Monitoring Internet Other internetwork sensor sensor SiLK repository sensor sensor 7

Network Monitoring Internet Other internetwork sensor sensor SiLK repository sensor sensor isilk 8

Packet Encapsulation Ethernet frame Dest MAC address Source MAC addr Type of packet IP datagram Src IP address Dst IP address Type of segment TCP/UDP/ICMP segment Src port Dest port Application layer message (HTTP, SMTP, DNS) 9

Flows 1 3 8 9 4 2 10

Some Terms SiLK: A traffic analysis tool which processes flow data. Flow: the collection of packets travelling in the same direction in a TCP or UDP connection. Flow Record: a single record containing summary information for a flow. Flow Repository: a tree structure of flat files containing flow records. 11

Collection, Packing, and Analysis Collection of flow data Examines packets and summarizes into standard flow records Timeout and payload-size values are established during collection Packing stores flow records in a scheme optimized for space and ease of analysis Analysis of flow data Investigation of flow records using SiLK tools 12

Collection tcpdump YAF IPFIX PCAP 13

Packing IPFIX rwflowpack SiLK SiLK repository SiLK repository repository 14

SiLK RootDir Repository Sensor1 Sensor2 silk.conf in inweb innull out outweb outnull year month day type-sensor_yyyymmdd.hh in-sen1_20091231.23 hour 15

Analysis SiLK SiLK repository SiLK repository repository Raw (binary) flow records in a file SiLK tool chain Raw (binary) flow records in a file Text output 16

Reporting Text output UNIX text tools (sort, cut, ) Text output Visualization tools (gnuplot, Rayon, Excel) 17

Why use isilk? It helps me to choose SiLK tools Toolbar buttons allow quick perusal of tools It lets me avoid SiLK tool syntax Menus & other GUI elements show my choices It lets me avoid Linux command syntax and file names isilk organizes my data sets and results It has an integrated graphing capability 18

What won t isilk do? isilk won t replace my need to understand what s in flow data I still need to understand what patterns in flow data represent the traffic situations that I m looking for 19

SiLK environment Flow Repository Terminal window SiLK on Linux system 20

isilk environment isilk on Windows system (or Mac or Linux) SSH SiLK on Linux system Flow Repository 21

Setting up isilk on the Live CD Open Applications System Tools Terminal echo "export SILK_DATA_ROOTDIR=/data/SiLK-LBNL-05" >>.bashrc On the desktop, open Applications Programming isilk isilk Configuration: Remote_Host: localhost (default) Remote_Port: 22 (default) Remote_User: liveuser RSH_Key: /home/liveuser/.ssh/id_rsa Rmt_Output: isilk-output Rmt_Library: isilk-libs 22

First Screen Problem Sets 23

Main Screen 24

Query Builder 25

Query Builder more filter options 26

Demonstration 27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

Labs 63

Questions? 64

Contact Information Ron Bandes, rbandes@cert.org Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 65

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information