Learning Objectives
- Gain knowledge of the network traffic data format
- Understand the differences between full packet captures and network flows
- Learn how to process network flow data
- Discover the SiLK tool suite
- Gain hands-on experience in network flow analysis with SiLK
QUESTIONS:
- Which version of SiLK is installed on the VM?
Command:
rwfileinfo suspicious-flows.silk
ANSWER
3.19.1
- What is the size of the flows in the count records?
Command
rwfileinfo suspicious-flows.silk
ANSWER
11774
- What is the start time (sTime) of the sixth record in the file?
Command:
rwcut suspicious-flows.silk --fields=sTime --num-recs=6
ANSWER
2023/12/05T09:33:07.755
- What is the destination port of the sixth UDP record?
Command
rwfilter suspicious-flows.silk --proto=17 --pass=stdout | rwcut --fields=protocol,sIP,sPort,dIP,dPort --num-recs=5
ANSWER
49950
- What is the record value (%) of the dport 53?
Command
rwstats suspicious-flows.silk --fields=dPort --values=records --count=5
ANSWER
35.332088
- What is the number of bytes transmitted by the top talker on the network?
Command
rwstats suspicious-flows.silk --fields=sIP --values=bytes --count=10 --top
ANSWER
735229
- What is the sTime value of the first DNS record going to port 53?
Command
rwfilter suspicious-flows.silk --aport=53 --pass=stdout | rwcut --fields=sTime,sIP,dIP --num-recs=1
ANSWER
2023/12/08T04:28:44.825
- What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )
Command
rwfilter suspicious-flows.silk --aport=53 --pass=stdout | rwstats --fields=sIP,dIP --values=records,bytes,packets --count=10
ANSWER We have to write the answer in defanged format:
175[.]175[.]173[.]221
- Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )
Command
rwfilter suspicious-flows.silk --aport=80 --pass=stdout | rwstats --fields=sIP,dIP,dPort --count=10
ANSWER
175[.]215[.]236[.]223
- What is the sent SYN packet's number of records?
Command
rwstats suspicious-flows.silk --fields=sIP,dIP --values=records,packets --count=10
ANSWER
1658