CERT Network Situational Awareness ("NetSA") Among other work: • • Applied Research and Development Maintains the SiLK tool suite • Analysis Pipeline • • Operational Analysis Private Network Analysis • Network Profiling of Waladec-Infected IP Space • • Capacity Building Open source software and publications • In person and online training • 5 NetSA Online Training Modules Network Flow • SiLK Beginning Flow Analysis • rwfilter • Counting Tools: rwcount, rwstats, rwuniq • rwappend-rwsplit • rwfileinfo-rwglob • rwcut and rwcat • rwsort • Sets • Prefix Maps (pmaps) • Advanced SiLK Tools: Bags • Using Tuples with SiLK • LAB: SiLK Training • 6 NetSA Online Virtual Lab I Find ~ Software Engineering Institute Table of Contents Introduction 3 1. 1 Lau ToJJology 3 1.2 Description of data in the lnb repo~itorie3 4 1.3 Tips on using th9 SiLKNTE lab systgms 4 2 SILKIVTE Lab Exercises 6 2.1 Lab Section 1 Bcginring 1\nalysit E~orcicoc 6 2.1.1 Lab 1.1- Conm~cting to and logging onto thQ SiLK lab 6 2.1.2 Lab 1.2- Determine data repository's dates, classes and sensors 6 2.1.3 Lab 1.3- Explore the rapository 6 2.2 Lab Section 2- rwfilter Exercises 2.2.1 Lab2.1- Explore rwt:lter Options 7 2.2.2 Lab 2.2 T•ack an indiiid~al 3ddrocs or individual ad:lrctc block 7 2.2.3 Lab 2.3- Categorizing Traffic with rw: 11 :er 8 2.2.4 Lab 2.4- T•ending T ralfic 8 2.2.5 Lab2.5- Olaining rwfil:er Commands Together 9 2.3 Lab Se<tion 3- Printing ard Sortirg T~ 9 2.3.1 Lab 3.1 - R>rmattirg OUtput 9 2.3.2 Lab 32- F nding Specific Behavior 10 2.4 lab Se<tion 4- Other -ools 11 2.4.1 _ab 4.1 - Llsif11< Other Too s to Find &havior 11 2.4.2 Lab4.2- numq and the IJesllnabon If' Utstnc1 reature 11 2.4.3 lab4.3- [xplcring Lw(llda !v 12 2.5 lab Section 5- Se:s 12 2.5.1 Lab 5.1 - Llsif11< Block lists 12 2.5.2 Lab 5.2- Takirg Network lnvento1ies 12 2.o Lab Sec~ on o-Bags 13 2.6.1 Lab 6.1 - F ud DNS Clieuts 13 2.7 Lab SG>ction 7 - Prgfix I.Aaps 13 2.7 .1 Lab 7.1 - Experimenting with pma,os 13 2.7.2 Lab 7.2- pmaps and ICMP 14 I Restart Lab I !::m.!J!. {c;) I .. I Software Engineering Institute CarnegieMellon 8 New Training Modules in 2010 Introduction to iSiLK • Overview of PySiLK • Basic PySiLK Objects • 9