Gunjan Mehta

Day 17 of Advent of Cyber 2023!

Gunjan Mehta's photo
Gunjan Mehta
·

6 min read

Backstory:

On Day 17, the storyline continues, extending the range of challenges faced. Events thus far include various technical tasks such as log analysis, machine learning exploration, and dealing with anomalies. The focus now shifts to the Santa's Security Operations Centre (SSOC), aiming to establish a comprehensive perspective. McSkidy suggests a pragmatic approach, concentrating on network statistics, particularly inbound and outbound traffic along with load metrics. Your role is to efficiently scrutinize network traffic, aiding SSOC in understanding the unfolding chaos. The narrative advances, and your expertise remains pivotal in defining the investigation's parameters. Prepare for the next task—analyzing the network's dynamics.

Learning Objectives

  • Gain knowledge of the network traffic data format

  • Understand the differences between full packet captures and network flows

  • Learn how to process network flow data

  • Discover the SiLK tool suite

  • Gain hands-on experience in network flow analysis with SiLK

Network Traffic Data: PCAP vs. Network Flow

Introduction: Network data is pervasive in our interconnected world, providing insights into various aspects of computing activities. Two primary formats for capturing this data are Packet Capture (PCAP) and Network Flow. While PCAP offers detailed packet information, Network Flow provides a summary of traffic flow metadata. Understanding the differences between these formats is crucial for efficient network analysis.

Network Management:

  • PCAP: Monitors performance, identifies bottlenecks, and ensures resource allocation.

  • Network Flow: Provides a high-level summary for resource allocation and quality of service.

Troubleshooting:

  • PCAP: Identifies network issues, validates configurations, and sets performance baselines.

  • Network Flow: Validates configurations and changes with faster analysis, excluding payload details.

Incident Response:

  • PCAP: Assesses incident scope, conducts root cause analysis, and evaluates compliance.

  • Network Flow: Offers incident scope and compliance assessment with faster processing.

Threat Hunting:

  • PCAP: Proactively analyzes for suspicious patterns, threats, anomalies, and IoCs.

  • Network Flow: Conducts behavioral analysis, detecting intrusions and insider threats without payload.

Data Formats:

  • PCAP: Granular, raw, and comprehensive view with packet details and payload.

  • Network Flow: Lightweight summary data with metadata, lacking packet details and payload.

Pros and Cons:

  • PCAP:

    • Pros: High visibility of packet details.

    • Cons: Resource-intensive, time-consuming, encryption obstacle.

  • Network Flow:

    • Pros: High-level summary for quick insights, easier storage and analysis.

    • Cons: No payload, encryption obstacle.

Available Fields:

  • PCAP: Layer headers, payload data, timestamp, MAC addresses, IP and port information, TCP/UDP details, application layer protocol.

  • Network Flow: IP and port information, volume metrics, TCP flags, time details, sensor info, application layer protocol.

Key Data Files:

PCAP:

  • Link layer info, timestamp, packet length, MAC addresses, source/destination IPs, source/destination ports, TCP/UDP info, application layer protocol, packet data, and payload.

Network Flow:

  • IP and port info, source/destination IPs, source/destination ports, IP protocol, volume details, TCP flags, time details, sensor info, application layer protocol.

Conclusion: Network Flow, especially in NetFlow format, emerges as a practical alternative to PCAP for quick insights, offering a balance between analysis speed and data richness. This choice aligns with the SSOC team's goal of obtaining network statistics promptly.

Analyzing Network Flow Data with SiLK Suite: Part 2

Now that you have successfully obtained the high-level details of the binary flow file using rwfileinfo, let's proceed with further analysis and exploration using SiLK tools.

View Sample Flow Records: rwcut

To delve deeper into the content of the flow file, you can use the rwcut command to display a selection of flow records. Execute the following command:

rwcut FILENAME

This will provide a glimpse of the flow records within the file, offering insights into the structure and data present.

Generate Statistics: rwstats

The rwstats tool is essential for generating statistical information about the flow records. Use the following command:

rwstats FILENAME

This will produce statistics such as total bytes, packets, average packet size, and more, giving you a comprehensive overview of the network flow data.

Filter and Query: rwfilter and rwuniq

The SiLK suite's strength lies in its ability to filter and query flow records effectively. Use rwfilter to create specific filters and rwuniq to display unique values. For example:

rwfilter --proto=6 FILENAME | rwuniq

This command filters records with protocol 6 (TCP) and then displays unique values, providing insights into TCP-based traffic.

Explore Time-Based Analysis: rwgroup

Time-based analysis is crucial in understanding network patterns. Use the rwgroup command to group flow records based on time intervals. For instance:

rwgroup --time-interval=10m FILENAME

This command groups flow records into 10-minute intervals, facilitating time-based analysis.

Additional Commands: rwsort and rwcut

For sorting and extracting specific fields from flow records, you can use rwsort and rwcut. For example:

rwsort --fields=sip,dip FILENAME | rwcut -f 1-5

This command sorts records based on source and destination IP addresses and extracts relevant fields for analysis.

Task Summary

You have explored several SiLK tools to analyze network flow data. Remember, SiLK offers a versatile set of tools, and your choice of commands will depend on the specific analysis goals of the SSOC team.

Continue experimenting with SiLK to uncover deeper insights into the network traffic data provided by Elf Forensic McBlue. Use the knowledge gained to answer questions and assist the SSOC team in their objectives.

Reading Flow Files: rwcut

Basic Usage

rwcut FILENAME

This command prints all records in the console.

Managing Output Size

rwcut FILENAME --num-recs=5

Limits output to the first five record lines.

Filtering Specific Columns

rwcut FILENAME --fields=protocol,sIP,sPort,dIP,dPort --num-recs=5

Displays selected columns (protocol, source/destination IP, source/destination ports) for the first five records.

Filtering with rwfilter

Essential Usage

rwfilter FILENAME

Requires post-processing with rwcut for output.

Filtering UDP Records

rwfilter FILENAME --proto=17 --pass=stdout | rwcut --fields=protocol,sIP,sPort,dIP,dPort --num-recs=5

Filters UDP records and displays the first five records.

Quick Statistics: rwstats

Usage

rwstats FILENAME --fields=dPort --values=records,packets,bytes,sIP-Distinct,dIP-Distinct --count=10

Displays statistics on destination ports, including records, packets, bytes, and distinct source/destination IPs.

Assemble the Toolset and Start Hunting Anomalies!

Top Talkers on the Network

rwstats FILENAME --fields=sIP --values=bytes --count=10 --top

Lists the top talkers based on byte volume.

Detection Notes: C2 over DNS

Elaboration

  • Source IP ending with 221 sent massive DNS requests.

  • Destination IP ending with 243 likely the DNS server.

  • Suggests a potential C2 channel using DNS.

Continued Analysis: Port 80 Traffic

Identifying Noisy Communication

rwstats FILENAME --aport=80 --pass=stdout | rwstats --fields=sIP,dIP --count=10

Lists connection pairs creating noise on port 80.

Analyzing SYN Packets

rwfilter FILENAME --saddress=175.215.236.223 --pass=stdout | rwcut --fields=sIP,dIP,dPort,flag,stime | head

Investigates SYN packets from source IP ending with 236.223.

Conclusion and Elaboration

  • Source IP ending with 236.223 sends SYN packets without ACK.

  • Suggests a potential SYN-Flood attack.

Detection Notes: DoS Attack

Elaboration

  • Source IP ending with 236.223 conducts a suspected DoS attack.

  • Did not complete the TCP three-way handshake.

  • Possible SYN-Flood attack.

Conclusion

You've successfully assisted the SSOC team in identifying network anomalies using SiLK tools! This guide covered the fundamentals of network flow analysis, emphasizing SiLK suite usage for traffic data analysis. If you have further questions or specific tasks, feel free to ask!

Q1. Which version of SiLK is installed on the VM?

A1. 3.19.1

Q2. What is the size of the flows in the count records?

A2. 11774

Q3.What is the start time (sTime) of the sixth record in the file?

A3. 2023/12/05609:33:07.755

Q4.What is the destination port of the sixth UDP record?

A4. 49950

Q5.What is the record value (%) of the dport 53?

A5. 35.332088

Q6.What is the number of bytes transmitted by the top talker on the network?

A6. 735229

Q7.What is the sTime value of the first DNS record going to port 53?

A7. 2023/12/08T04:28:44.825

Q8,What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )

A8. 175[.]175[.]173[.]221

Q9.Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )

A9. 175[.]215[.]236[.]223

Q10.What is the sent SYN packet's number of records?

A10. 1658

#cybersecurityCyberSecNetwork Traffic Analyzers Market