SiLK 다운로드
https://tools.netsa.cert.org/
LBNL-05 훈련용 데이터
https://tools.netsa.cert.org/silk/referencedata.html
컴파일
#> make #> make install <- root
rwcut
[chohi@www SiLK-LBNL-05]$ rwcut inweb/2005/01/06/iw-S0_20050106.20 | more sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime|sen| 148.19.251.179| 128.3.148.48| 2497| 80| 6| 16| 2631|FS PA 2005/01/06T20:01:54.119| 0.246|2005/01/06T20:01:54.365| ?| 148.19.251.179| 128.3.148.48| 2498| 80| 6| 14| 2159| S PA 2005/01/06T20:01:54.160| 0.260|2005/01/06T20:01:54.420| ?| 148.19.251.179| 128.3.148.48| 2498| 80| 6| 2| 80|F A 2005/01/06T20:07:07.845| 0.003|2005/01/06T20:07:07.848| ?| 56.71.233.157| 128.3.148.48|48906| 80| 6| 5| 300| S 2005/01/06T20:01:50.011| 45.003|2005/01/06T20:02:35.014| ?| 56.96.13.225| 128.3.148.48|50722| 80| 6| 6| 360| S 2005/01/06T20:02:57.132| 272.990|2005/01/06T20:07:30.122| ?| 56.96.13.225| 128.3.148.48|50726| 80| 6| 6| 360| S 2005/01/06T20:02:57.432| 272.990|2005/01/06T20:07:30.422| ?| 58.236.56.129| 128.3.148.48|32621| 80| 6| 3| 144| S 2005/01/06T20:12:10.747| 9.747|2005/01/06T20:12:20.494| ?| 56.96.13.225| 128.3.148.48|54497| 443| 6| 6| 360| S 2005/01/06T20:09:30.124| 272.989|2005/01/06T20:14:03.113| ?| 56.96.13.225| 128.3.148.48|54500| 80| 6| 6| 360| S 2005/01/06T20:09:30.423| 272.990|2005/01/06T20:14:03.413| ?| https://tools.netsa.cert.org/silk/rwcut.html
필드 순서 지정 예
[chohi@www SiLK-LBNL-05]$ rwcut --field=1-5 inweb/2005/01/06/iw-S0_20050106.20 | head -4 sIP| dIP|sPort|dPort|pro| 148.19.251.179| 128.3.148.48| 2497| 80| 6| 148.19.251.179| 128.3.148.48| 2498| 80| 6| 148.19.251.179| 128.3.148.48| 2498| 80| 6|
출력순서 및 컬럼명을 사용할 수 있다.
[chohi@www SiLK-LBNL-05]$ rwcut --field=5,1,2,3,4 inweb/2005/01/06/iw-S0_20050106.20 | head -4 pro| sIP| dIP|sPort|dPort| 6| 148.19.251.179| 128.3.148.48| 2497| 80| 6| 148.19.251.179| 128.3.148.48| 2498| 80| 6| 148.19.251.179| 128.3.148.48| 2498| 80| [chohi@www SiLK-LBNL-05]$ rwcut --field=sIP,dIP,proto inweb/2005/01/06/iw-S0_20050106.20 | head -4 sIP| dIP|pro| 148.19.251.179| 128.3.148.48| 6| 148.19.251.179| 128.3.148.48| 6| 148.19.251.179| 128.3.148.48| 6|
지정한 범위 레코드 출력
[chohi@www SiLK-LBNL-05]$ rwcut --field=1-9 inweb/2005/01/06/iw-S0_20050106.20 --start-rec-num=3 --end-rec-num=5 sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| 148.19.251.179| 128.3.148.48| 2498| 80| 6| 2| 80|F A |2005/01/06T20:07:07.845| 56.71.233.157| 128.3.148.48|48906| 80| 6| 5| 300| S |2005/01/06T20:01:50.011| 56.96.13.225| 128.3.148.48|50722| 80| 6| 6| 360| S |2005/01/06T20:02:57.132|
rwfilter
[chohi@www SiLK-LBNL-05]$ rwfilter --dport=80 inweb/2005/01/06/iw-S0_20050106.20 --pass=stdout | rwcut --field=1-9 --num-recs=5 sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| 148.19.251.179| 128.3.148.48| 2497| 80| 6| 16| 2631|FS PA |2005/01/06T20:01:54.119| 148.19.251.179| 128.3.148.48| 2498| 80| 6| 14| 2159| S PA |2005/01/06T20:01:54.160| 148.19.251.179| 128.3.148.48| 2498| 80| 6| 2| 80|F A |2005/01/06T20:07:07.845| 56.71.233.157| 128.3.148.48|48906| 80| 6| 5| 300| S |2005/01/06T20:01:50.011| 56.96.13.225| 128.3.148.48|50722| 80| 6| 6| 360| S |2005/01/06T20:02:57.132| [chohi@www SiLK-LBNL-05]$ rwfilter --dport=4350-4360 inweb/2005/01/06/iw-S0_20050106.20 --pass=stdout | rwcut --field=1-9 sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| 218.131.115.42| 131.243.105.35| 80| 4360| 6| 2| 80|F A |2005/01/06T20:24:21.879| 148.19.96.160|131.243.107.239| 80| 4350| 6| 27| 35445|FS PA |2005/01/06T20:59:42.451| 148.19.96.160|131.243.107.239| 80| 4352| 6| 4| 709|FS PA |2005/01/06T20:59:42.507| 148.19.96.160|131.243.107.239| 80| 4351| 6| 15| 16938|FS PA |2005/01/06T20:59:42.501| 148.19.96.160|131.243.107.239| 80| 4353| 6| 4| 704|FS PA |2005/01/06T20:59:42.544| 148.19.96.160|131.243.107.239| 80| 4354| 6| 21| 27071|FS PA |2005/01/06T20:59:46.729| 148.19.96.160|131.243.107.239| 80| 4355| 6| 7| 7588| S A |2005/01/06T20:59:46.801| 148.19.96.160|131.243.107.239| 80| 4355| 6| 5| 7500| PA |2005/01/06T20:59:46.819| 148.19.96.160|131.243.107.239| 80| 4356| 6| 4| 709|FS PA |2005/01/06T20:59:46.814| 148.19.96.160|131.243.107.239| 80| 4357| 6| 4| 704|FS PA |2005/01/06T20:59:46.845| 148.19.96.160|131.243.107.239| 80| 4358| 6| 21| 26044|FS PA |2005/01/06T20:59:57.905| 148.19.96.160|131.243.107.239| 80| 4359| 6| 10| 9188|FS PA |2005/01/06T20:59:58.001| 148.19.96.160|131.243.107.239| 80| 4360| 6| 15| 16938|FS PA |2005/01/06T20:59:58.041| 148.19.96.160|131.243.107.239| 80| 4352| 6| 1| 40| A |2005/01/06T20:59:42.516| 148.19.96.160|131.243.107.239| 80| 4353| 6| 1| 40| A |2005/01/06T20:59:42.552| 148.19.96.160|131.243.107.239| 80| 4356| 6| 1| 40| A |2005/01/06T20:59:46.823| 148.19.96.160|131.243.107.239| 80| 4357| 6| 1| 40| A |2005/01/06T20:59:46.852|
TCP 플래그
| 문자 | 플래그 | 비고 |
| F | FIN | |
| S | SYN | |
| R | RSET | |
| P | PSH | |
| A | ACK | |
| U | URG | |
| E | ECE | |
| C | CWR |
요약된 트래픽 정보 출력
[chohi@www SiLK-LBNL-05]$ rwfilter --print-volume-stat in/2005/01/07/in-S0_20050107.01 --proto=0-255 | Recs| Packets| Bytes| Files| Total| 2019| 2730488| 402105501| 1| Pass| 2019| 2730488| 402105501| | Fail| 0| 0| 0| | [chohi@www SiLK-LBNL-05]$ rwfilter --print-stat in/2005/01/07/in-S0_20050107.01 --proto=0-255 Files 1. Read 2019. Pass 2019. Fail 0.
rwfileinfo
[chohi@www SiLK-LBNL-05]$ rwfileinfo in/2005/01/07/in-S0_20050107.01 in/2005/01/07/in-S0_20050107.01: format(id) FT_RWAUGMENTED(0x14) version 2 byte-order littleEndian compression(id) none(0) header-length 28 record-length 28 record-version 2 silk-version 0 count-records 2019 file-size 56560 packed-file-info 2005/01/07T01:00:00Z ? ?
rwcount -load scheme
[chohi@www SiLK-LBNL-05]$ rwfilter in/2005/01/07/in-S0_20050107.01 --all=stdout | rwcount --bin-size=1800 Date| Records| Bytes| Packets| 2005/01/07T01:00:00| 257.58| 42827381.72| 248724.14| 2005/01/07T01:30:00| 1589.61| 211453506.60| 1438751.93| 2005/01/07T02:00:00| 171.81| 147824612.67| 1043011.93|
rwset과 ip 집합
[chohi@www SiLK-LBNL-05]$ rwfilter in/2005/01/07/in-S0_20050107.01 --all=stdout | rwset --sip-file=sip.set --dip-file=dip.set [chohi@www SiLK-LBNL-05]$ ls -al *.set -rw-rw-r-- 1 chohi chohi 642 7월 6 09:18 dip.set -rw-rw-r-- 1 chohi chohi 15150 7월 6 09:18 sip.set [chohi@www SiLK-LBNL-05]$ rwsetcat sip.set | head -5 0.0.0.0 32.16.40.178 32.24.41.181 32.24.215.49 32.30.13.177 [chohi@www SiLK-LBNL-05]$ rwfileinfo sip.set sip.set: format(id) FT_IPSET(0x1d) version 16 byte-order littleEndian compression(id) none(0) header-length 138 record-length 1 record-version 2 silk-version 3.17.2 count-records 15012 file-size 15150 command-lines 1 rwfilter --all=stdout in/2005/01/07/in-S0_20050107.01 2 rwset --sip-file=sip.set --dip-file=dip.set [chohi@www SiLK-LBNL-05]$ rwfilter in/2005/01/07/in-S0_20050107.01 --pass=stdout --aport=123 | rwcut | head -5 sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime|sen| 56.7.90.229| 128.3.23.152| 123| 123| 17| 1| 76| |2005/01/07T01:10:00.603| 0.000|2005/01/07T01:10:00.603| ?| 192.41.221.11| 128.3.23.152| 123| 123| 17| 1| 76| |2005/01/07T01:10:15.519| 0.000|2005/01/07T01:10:15.519| ?| 87.221.134.185| 128.3.23.231| 123| 123| 17| 1| 76| |2005/01/07T01:24:46.256| 0.000|2005/01/07T01:24:46.256| ?| 137.230.203.1| 128.3.63.40| 123| 123| 17| 1| 76| |2005/01/07T01:24:51.587| 0.000|2005/01/07T01:24:51.587| ?| [chohi@www SiLK-LBNL-05]$ rwfilter in/2005/01/07/in-S0_20050107.01 --aport=123 --print-stat Files 1. Read 2019. Pass 52. Fail 1967. [chohi@www SiLK-LBNL-05]$ rwfilter in/2005/01/07/in-S0_20050107.01 --all=stdout | rwuniq --field=sip,proto | head -4 sIP|pro| Records| 35.223.112.236| 1| 1| 211.210.215.142| 6| 1| 151.151.237.231| 17| 4|
rwbag
[chohi@www SiLK-LBNL-05]$ rwfilter in/2005/01/07/in-S0_20050107.01 --all=stdout | rwbag --sip-bytes=sip_bytes.bag [chohi@www SiLK-LBNL-05]$ rwbagcat sip_bytes.bag | head -5 0.0.0.0| 328| 32.16.40.178| 480| 32.24.41.181| 39| 32.24.215.49| 39| 32.30.13.177| 39|
고급 SiLK 기능
pmaps
[chohi@www SiLK-LBNL-05]$ cat reserver.txt ## # label 0 1918-reserved label 1 multicast label 2 future label 3 normal # # # mode ip # # default normal #map 192.168.0.0/16 1918-reserved 10.0.0.0/8 1918-reserved 172.16.0.0/12 1918-reserved 224.0.0.0/4 multicast 224.0.0.0/4 future [chohi@www SiLK-LBNL-05]$ rwpmapbuild --input-file reserver.txt --output-file reserve.pmap [chohi@www SiLK-LBNL-05]$ ls -al re*.* -rw-rw-r-- 1 chohi chohi 415 7월 8 17:15 reserve.pmap -rw-rw-r-- 1 chohi chohi 241 7월 8 17:15 reserver.txt [chohi@www SiLK-LBNL-05]$ rwcut --pmap-file=reserve:reserve.pmap --fields=1-4,src-reserve,dst-reserve traceroute.rwf | head -5 rwcut: Error opening file 'traceroute.rwf': No such file or directory
traceroute.rwf 파일에 대한 내용이 없어서 우선 skip. 오류입니다.
고급기능 사용 못하고 지나갑니다.
SiLK 데이터 수집하기
YAF설치
https://tools.netsa.cert.org/yaf/download.html
configure 오류발생
[chohi@www yaf-2.10.0]$ ./configure ... checking for GLIB - version >= 2.4.7... no *** Could not run GLIB test program, checking why... *** The test program failed to compile or link. See the file config.log for the *** exact error that occured. This usually means GLIB is incorrectly installed. configure: error: Cannot find a suitable glib2 (>= 2.4.7)
glib2 버전확인후 dependent를 설치합니다.
[root@www yaf-2.10.0]# rpm -qa | grep glib2 glib2-2.54.2-2.el7.x86_64 [root@www yaf-2.10.0]# yum install glib2-devel
configure: error: Cannot find a suitable libfixbuf (>= 2.0.0) (Try setting PKG_CONFIG_PATH): No package 'libfixbuf' found No package 'libfixbuf' found
libfixbuf 다운로드
https://tools.netsa.cert.org/fixbuf/download.html
libfixbuf 설치
[root@www libfixbuf-1.8.0]# ./configure [root@www libfixbuf-1.8.0]# make [root@www libfixbuf-1.8.0]# make install
PCAP lib 설치
yum install libpcap-devel
YAF 설치 계속
[root@www yaf-2.10.0]# ./configure [root@www yaf-2.10.0]# make [root@www yaf-2.10.0]# make install [root@www yaf-2.10.0]# which yaf /usr/local/bin/yaf
사용법 참조
https://tools.netsa.cert.org/yaf/yaf.html
Configuring YAF with SiLK
https://tools.netsa.cert.org/yaf/libyaf/yaf_silk.html
진행중.
