SiLK(the System for Internet-Level Knowledg) 무조건 따라하기

SiLK 다운로드

https://tools.netsa.cert.org/

LBNL-05 훈련용 데이터

https://tools.netsa.cert.org/silk/referencedata.html

컴파일

#> make
#> make install    <- root

rwcut

[chohi@www SiLK-LBNL-05]$ rwcut inweb/2005/01/06/iw-S0_20050106.20 | more
sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime|sen|
148.19.251.179| 128.3.148.48| 2497| 80| 6| 16| 2631|FS PA 2005/01/06T20:01:54.119| 0.246|2005/01/06T20:01:54.365| ?|
148.19.251.179| 128.3.148.48| 2498| 80| 6| 14| 2159| S PA 2005/01/06T20:01:54.160| 0.260|2005/01/06T20:01:54.420| ?|
148.19.251.179| 128.3.148.48| 2498| 80| 6| 2| 80|F A 2005/01/06T20:07:07.845| 0.003|2005/01/06T20:07:07.848| ?|
56.71.233.157| 128.3.148.48|48906| 80| 6| 5| 300| S 2005/01/06T20:01:50.011| 45.003|2005/01/06T20:02:35.014| ?|
56.96.13.225| 128.3.148.48|50722| 80| 6| 6| 360| S 2005/01/06T20:02:57.132| 272.990|2005/01/06T20:07:30.122| ?|
56.96.13.225| 128.3.148.48|50726| 80| 6| 6| 360| S 2005/01/06T20:02:57.432| 272.990|2005/01/06T20:07:30.422| ?|
58.236.56.129| 128.3.148.48|32621| 80| 6| 3| 144| S 2005/01/06T20:12:10.747| 9.747|2005/01/06T20:12:20.494| ?|
56.96.13.225| 128.3.148.48|54497| 443| 6| 6| 360| S 2005/01/06T20:09:30.124| 272.989|2005/01/06T20:14:03.113| ?|
56.96.13.225| 128.3.148.48|54500| 80| 6| 6| 360| S 2005/01/06T20:09:30.423| 272.990|2005/01/06T20:14:03.413| ?|

https://tools.netsa.cert.org/silk/rwcut.html

 

필드 순서 지정 예

[chohi@www SiLK-LBNL-05]$ rwcut --field=1-5 inweb/2005/01/06/iw-S0_20050106.20 | head -4
sIP| dIP|sPort|dPort|pro|
148.19.251.179| 128.3.148.48| 2497| 80| 6|
148.19.251.179| 128.3.148.48| 2498| 80| 6|
148.19.251.179| 128.3.148.48| 2498| 80| 6|

출력순서 및 컬럼명을 사용할 수 있다.

[chohi@www SiLK-LBNL-05]$ rwcut --field=5,1,2,3,4 inweb/2005/01/06/iw-S0_20050106.20 | head -4 
pro| sIP| dIP|sPort|dPort|
6| 148.19.251.179| 128.3.148.48| 2497| 80|
6| 148.19.251.179| 128.3.148.48| 2498| 80|
6| 148.19.251.179| 128.3.148.48| 2498| 80|
[chohi@www SiLK-LBNL-05]$ rwcut --field=sIP,dIP,proto inweb/2005/01/06/iw-S0_20050106.20 | head -4 
sIP| dIP|pro|
148.19.251.179| 128.3.148.48| 6|
148.19.251.179| 128.3.148.48| 6|
148.19.251.179| 128.3.148.48| 6|

지정한 범위 레코드 출력

[chohi@www SiLK-LBNL-05]$ rwcut --field=1-9 inweb/2005/01/06/iw-S0_20050106.20 --start-rec-num=3 --end-rec-num=5
sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime|
148.19.251.179| 128.3.148.48| 2498| 80| 6| 2| 80|F A |2005/01/06T20:07:07.845|
56.71.233.157| 128.3.148.48|48906| 80| 6| 5| 300| S |2005/01/06T20:01:50.011|
56.96.13.225| 128.3.148.48|50722| 80| 6| 6| 360| S |2005/01/06T20:02:57.132|

rwfilter

[chohi@www SiLK-LBNL-05]$ rwfilter --dport=80 inweb/2005/01/06/iw-S0_20050106.20 --pass=stdout | rwcut --field=1-9 --num-recs=5
sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime|
148.19.251.179| 128.3.148.48| 2497| 80| 6| 16| 2631|FS PA |2005/01/06T20:01:54.119|
148.19.251.179| 128.3.148.48| 2498| 80| 6| 14| 2159| S PA |2005/01/06T20:01:54.160|
148.19.251.179| 128.3.148.48| 2498| 80| 6| 2| 80|F A |2005/01/06T20:07:07.845|
56.71.233.157| 128.3.148.48|48906| 80| 6| 5| 300| S |2005/01/06T20:01:50.011|
56.96.13.225| 128.3.148.48|50722| 80| 6| 6| 360| S |2005/01/06T20:02:57.132|

[chohi@www SiLK-LBNL-05]$ rwfilter --dport=4350-4360 inweb/2005/01/06/iw-S0_20050106.20 --pass=stdout | rwcut --field=1-9 
sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime|
218.131.115.42| 131.243.105.35| 80| 4360| 6| 2| 80|F A |2005/01/06T20:24:21.879|
148.19.96.160|131.243.107.239| 80| 4350| 6| 27| 35445|FS PA |2005/01/06T20:59:42.451|
148.19.96.160|131.243.107.239| 80| 4352| 6| 4| 709|FS PA |2005/01/06T20:59:42.507|
148.19.96.160|131.243.107.239| 80| 4351| 6| 15| 16938|FS PA |2005/01/06T20:59:42.501|
148.19.96.160|131.243.107.239| 80| 4353| 6| 4| 704|FS PA |2005/01/06T20:59:42.544|
148.19.96.160|131.243.107.239| 80| 4354| 6| 21| 27071|FS PA |2005/01/06T20:59:46.729|
148.19.96.160|131.243.107.239| 80| 4355| 6| 7| 7588| S A |2005/01/06T20:59:46.801|
148.19.96.160|131.243.107.239| 80| 4355| 6| 5| 7500| PA |2005/01/06T20:59:46.819|
148.19.96.160|131.243.107.239| 80| 4356| 6| 4| 709|FS PA |2005/01/06T20:59:46.814|
148.19.96.160|131.243.107.239| 80| 4357| 6| 4| 704|FS PA |2005/01/06T20:59:46.845|
148.19.96.160|131.243.107.239| 80| 4358| 6| 21| 26044|FS PA |2005/01/06T20:59:57.905|
148.19.96.160|131.243.107.239| 80| 4359| 6| 10| 9188|FS PA |2005/01/06T20:59:58.001|
148.19.96.160|131.243.107.239| 80| 4360| 6| 15| 16938|FS PA |2005/01/06T20:59:58.041|
148.19.96.160|131.243.107.239| 80| 4352| 6| 1| 40| A |2005/01/06T20:59:42.516|
148.19.96.160|131.243.107.239| 80| 4353| 6| 1| 40| A |2005/01/06T20:59:42.552|
148.19.96.160|131.243.107.239| 80| 4356| 6| 1| 40| A |2005/01/06T20:59:46.823|
148.19.96.160|131.243.107.239| 80| 4357| 6| 1| 40| A |2005/01/06T20:59:46.852|

TCP 플래그

문자 플래그 비고
F FIN  
S SYN  
R RSET  
P PSH  
A ACK  
U URG  
E ECE  
C CWR  

 

요약된 트래픽 정보 출력

[chohi@www SiLK-LBNL-05]$ rwfilter --print-volume-stat in/2005/01/07/in-S0_20050107.01 --proto=0-255 
| Recs| Packets| Bytes| Files|
Total| 2019| 2730488| 402105501| 1|
Pass| 2019| 2730488| 402105501| |
Fail| 0| 0| 0| |
[chohi@www SiLK-LBNL-05]$ rwfilter --print-stat in/2005/01/07/in-S0_20050107.01 --proto=0-255 
Files 1. Read 2019. Pass 2019. Fail 0.

rwfileinfo

[chohi@www SiLK-LBNL-05]$ rwfileinfo in/2005/01/07/in-S0_20050107.01
in/2005/01/07/in-S0_20050107.01:
format(id) FT_RWAUGMENTED(0x14)
version 2
byte-order littleEndian
compression(id) none(0)
header-length 28
record-length 28
record-version 2
silk-version 0
count-records 2019
file-size 56560
packed-file-info 2005/01/07T01:00:00Z ? ?

rwcount -load scheme

[chohi@www SiLK-LBNL-05]$ rwfilter in/2005/01/07/in-S0_20050107.01 --all=stdout | rwcount --bin-size=1800
Date| Records| Bytes| Packets|
2005/01/07T01:00:00| 257.58| 42827381.72| 248724.14|
2005/01/07T01:30:00| 1589.61| 211453506.60| 1438751.93|
2005/01/07T02:00:00| 171.81| 147824612.67| 1043011.93|

rwset과 ip 집합

[chohi@www SiLK-LBNL-05]$ rwfilter in/2005/01/07/in-S0_20050107.01 --all=stdout | rwset --sip-file=sip.set --dip-file=dip.set
[chohi@www SiLK-LBNL-05]$ ls -al *.set
-rw-rw-r-- 1 chohi chohi 642 7월 6 09:18 dip.set
-rw-rw-r-- 1 chohi chohi 15150 7월 6 09:18 sip.set
[chohi@www SiLK-LBNL-05]$ rwsetcat sip.set | head -5
0.0.0.0
32.16.40.178
32.24.41.181
32.24.215.49
32.30.13.177
[chohi@www SiLK-LBNL-05]$ rwfileinfo sip.set
sip.set:
format(id) FT_IPSET(0x1d)
version 16
byte-order littleEndian
compression(id) none(0)
header-length 138
record-length 1
record-version 2
silk-version 3.17.2
count-records 15012
file-size 15150
command-lines 
1 rwfilter --all=stdout in/2005/01/07/in-S0_20050107.01
2 rwset --sip-file=sip.set --dip-file=dip.set

[chohi@www SiLK-LBNL-05]$ rwfilter in/2005/01/07/in-S0_20050107.01 --pass=stdout --aport=123 | rwcut | head -5
sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime|sen|
56.7.90.229| 128.3.23.152| 123| 123| 17| 1| 76| |2005/01/07T01:10:00.603| 0.000|2005/01/07T01:10:00.603| ?|
192.41.221.11| 128.3.23.152| 123| 123| 17| 1| 76| |2005/01/07T01:10:15.519| 0.000|2005/01/07T01:10:15.519| ?|
87.221.134.185| 128.3.23.231| 123| 123| 17| 1| 76| |2005/01/07T01:24:46.256| 0.000|2005/01/07T01:24:46.256| ?|
137.230.203.1| 128.3.63.40| 123| 123| 17| 1| 76| |2005/01/07T01:24:51.587| 0.000|2005/01/07T01:24:51.587| ?|
[chohi@www SiLK-LBNL-05]$ rwfilter in/2005/01/07/in-S0_20050107.01 --aport=123 --print-stat
Files 1. Read 2019. Pass 52. Fail 1967.

[chohi@www SiLK-LBNL-05]$ rwfilter in/2005/01/07/in-S0_20050107.01 --all=stdout | rwuniq --field=sip,proto | head -4
sIP|pro| Records|
35.223.112.236| 1| 1|
211.210.215.142| 6| 1|
151.151.237.231| 17| 4|

rwbag

[chohi@www SiLK-LBNL-05]$ rwfilter in/2005/01/07/in-S0_20050107.01 --all=stdout | rwbag --sip-bytes=sip_bytes.bag
[chohi@www SiLK-LBNL-05]$ rwbagcat sip_bytes.bag | head -5
0.0.0.0| 328|
32.16.40.178| 480|
32.24.41.181| 39|
32.24.215.49| 39|
32.30.13.177| 39|

고급 SiLK 기능

pmaps

[chohi@www SiLK-LBNL-05]$ cat reserver.txt
##
#
label 0 1918-reserved
label 1 multicast
label 2 future
label 3 normal
#
#
#
mode ip
#
#
default normal
#map
192.168.0.0/16 1918-reserved
10.0.0.0/8 1918-reserved
172.16.0.0/12 1918-reserved
224.0.0.0/4 multicast
224.0.0.0/4 future

[chohi@www SiLK-LBNL-05]$ rwpmapbuild --input-file reserver.txt --output-file reserve.pmap
[chohi@www SiLK-LBNL-05]$ ls -al re*.*
-rw-rw-r-- 1 chohi chohi 415 7월 8 17:15 reserve.pmap
-rw-rw-r-- 1 chohi chohi 241 7월 8 17:15 reserver.txt

[chohi@www SiLK-LBNL-05]$ rwcut --pmap-file=reserve:reserve.pmap --fields=1-4,src-reserve,dst-reserve traceroute.rwf | head -5
rwcut: Error opening file 'traceroute.rwf': No such file or directory

 

traceroute.rwf 파일에 대한 내용이 없어서 우선 skip. 오류입니다.

고급기능 사용 못하고 지나갑니다.

 

SiLK 데이터 수집하기

YAF설치

https://tools.netsa.cert.org/yaf/download.html

configure 오류발생

[chohi@www yaf-2.10.0]$ ./configure 

...

checking for GLIB - version >= 2.4.7... no
*** Could not run GLIB test program, checking why...
*** The test program failed to compile or link. See the file config.log for the
*** exact error that occured. This usually means GLIB is incorrectly installed.
configure: error: Cannot find a suitable glib2 (>= 2.4.7)

 

glib2 버전확인후 dependent를 설치합니다.

[root@www yaf-2.10.0]# rpm -qa | grep glib2
glib2-2.54.2-2.el7.x86_64
[root@www yaf-2.10.0]# yum install glib2-devel
configure: error: Cannot find a suitable libfixbuf (>= 2.0.0) (Try setting PKG_CONFIG_PATH): No package 'libfixbuf' found
No package 'libfixbuf' found

 

libfixbuf 다운로드

https://tools.netsa.cert.org/fixbuf/download.html

 

libfixbuf 설치

[root@www libfixbuf-1.8.0]# ./configure

[root@www libfixbuf-1.8.0]# make

[root@www libfixbuf-1.8.0]# make install

PCAP lib 설치

yum install libpcap-devel

YAF 설치 계속

[root@www yaf-2.10.0]# ./configure
[root@www yaf-2.10.0]# make 
[root@www yaf-2.10.0]# make install
[root@www yaf-2.10.0]# which yaf
/usr/local/bin/yaf

사용법 참조

https://tools.netsa.cert.org/yaf/yaf.html

 

Configuring YAF with SiLK

https://tools.netsa.cert.org/yaf/libyaf/yaf_silk.html

 

진행중. 

 

You May Also Like

About the Author: chohi

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다