SiLK for Network Flow Monitoring
What is SiLK?
- System for Internet Level Knowledge, SiLK is an Open Source software project from Carnegie Mellon.
- Single point to send all NetFlow data
- Can convert large packet data in order to analyze the data.
- Network behavioral analysis once data is converted to numeric.
- Perfect for networks that cannot collect packets.
Commands to Work with a SiLK Repository
**Note, commands are usually chained together.
rwfilter
Allows you to pull data out of the repository and filter it.
rwcut
Allows you to select fields from your filter and display it to or write to a file.
rwstats
generate basic statistics on data
rwcount
aggregate flows into bins
rwuniq
Use any set of fields as a filter to the flows
A Sample Command
`rwfilter –type=all –start-date ‘year-mm-dd:hh:mm:ss’ –end-date ‘year-mm-dd:hh:mm:ss’ –proto=0-255 –pass=stdout | rwcut –fields <0-Xorfieldname> –count=10
--type=all(determines the sensor/file as the source of data)--start-date(Start date and time)--end-date(End date and time)--proto=0-255(Criteria to filter the data by. In this case Protocol. Designating 0-255 is one way to get data from all flows.)--pass=stdout(Options are Pass or Fail. Pass sends the data you filtered to output for the next command to be run. Fail selects the data other than the filter you selected. Example: –proto=53 –fail=stdout would give you all flows that were NOT dns flows.)|(pipe the output to the next tool.)rwcut(This is a great tool to cut the data and show certain fields. Examples below.)--fields(Select the fields to display. Could be a range like –fields=0-10 or seperate items –fields=sip,sport,dip,dport.)--count(The number of items to display.)- Looking for initial SYN and a following ACK.
--flags-initial=S/SA --flags-session=A/A
Real Examples you may use
Find flows related to TCP port 443:
`rwfilter –type=all –start-date ‘year-mm-dd:hh:mm:ss’ –end-date ‘year-mm-dd:hh:mm:ss’ –proto=6 –dport=443 –pass=stdout | rwcut –fields sip,sport, dip,dport,bytes –no-columns
Find flows that are not UDP 53
`rwfilter –type=all –start-date__ –end-date ___ –proto=17 –aport=0-52,54-255 –pass=stdout | rwcut –fields sip,sport, dip,dport,bytes –no-columns
Pass is our network. Fail is things leaving the network.
`rwfilter –type=all –start-date ‘year-mm-dd:hh:mm:ss’ –end-date ‘year-mm-dd:hh:mm:ss’ scidr=10.10.0.0/16 –proto=6 –pass=stdout | rwfilter –dcidr=10.10.0.0/16 –fail=stdout –input-pipe=stdin | rwcut –fields sip,sport, dip,dport,bytes –no-columns
All flows for a given time
`rwfilter –type=all –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss5 –proto=0-255 –print-stat
TCP Flows
`rwfilter –type=all –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss5 –proto=6 –print-stat
All Hosts connecting to port 60000
`rwfilter –type=all –start-date year-mm-dd:hh:mm:ss –end-date 2018/10/31 –proto=6 –flags-initial=S/SA –dport 60000 –pass=stdout | rwstats –count 200 –fields sip
Find all flows where SYN is present with or without ECN
`rwfilter –type=all –start-date=year-mm-dd:hh:mm:ss –end-date=year-mm-dd:hh:mm:ss –proto=6 –flags-all=S/SFRPAU –pass=stdout | rwcut –fields sip,sport,dip,dport,packets,flags | head -21
Find all the records for two hosts.
`rwfilter –type=all –start-date=year-mm-dd:hh:mm:ss –end-date=year-mm-dd:hh:mm:ss –any-address=172.28.30.5 –pass=stdout | rwfilter –input-pipe=stdin –any-address=192.225.158.2 –pass=stdout | rwcut –fields sip,sport,dip,dport,packets,flags,protocol
Top Talkers
`rwfilter –type=all –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss5 –proto=0-255 –pass=stdout | rwstats –fields=sip –count=5
Top Talkers from External Sources
`rwfilter –type=all –scidr=10.10.0.0/16 –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss5 –proto=0-255 –fail=stdout | rwstats –fields=sip –count=5
Top Talkers from Internal Sources
`rwfilter –type=all –scidr=10.10.0.0/16 –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss5 –proto=0-255 –pass=stdout | rwstats –fields=sip –count=5
Top Talkers Source to Destination Port
Source IPs to what ports?
`rwfilter –type=all –scidr=10.10.0.0/16 –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss5 –proto=0-255 –pass=stdout | rwstats –fields=sip,dport –count=5
fields create a single bin of data you’re looking for.
Top Talkers Source Bytes
`rwfilter –type=all –scidr=10.10.0.0/16 –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss5 –proto=0-255 –pass=stdout | rwstats –fields=sip –bytes –count=5
–values = bytes (bytes, flows, packets)
Sort Protocols by bytes
`rwfilter –type=all –scidr=10.10.0.0/16 –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss5 –proto=0-255 –pass=stdout | rwstats –fields=protocol –bytes –count=50
Find All protocols in the data
`rwfilter –type=all –scidr=10.10.0.0/16 –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss5 –proto=0-255 –pass=stdout | rwuniq – fields=protocol
How many flows are there between dates?
`rwfilter –type=all –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss –proto=0-255 –print-statistics
How many TCP FLows?
`rwfilter –type=all –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss –proto=6 –print-statistics
How many IP Protocols
`rwfilter –type=all –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss –proto=0-255 –pass=stdout | rwuniq –fields proto
What is the Port Number that received the most connection attempts?
`rwfilter –type=all –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss –proto=6 –flags-initial=S/SA –pass=stdout | rwstats –fields dport –count 10
Which host transferred the most bytes? Top Talker
`rwfilter –type=all –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss –proto=0-255 –pass=stdout | rwstats –fieds=sip –bytes –count=10
How many different ports?
`rwfilter –type=all –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss –proto=0-255 –saddress=172.16.60.32 –pass=stdout | rwstats –fieds=dport –bytes –count=20
What is the timestamp of the largest single flow?
`rwfilter –type=all –start-date year-mm-dd:hh:mm:ss –end-date year-mm-dd:hh:mm:ss –proto=0-255 –pass=stdout | rwstats –bytes –fields=stime,sip –count=5