[netsa-tools-discuss] Using rwfilter to search a generated record file

[Mark Thomas]

The assignment of the flowtype field (that is, class/type pair, such
as "all/inweb" and "all/ext2ext") of a SiLK record occurs when the
record passes through the packing logic that is loaded into
rwflowpack.

A SiLK Flow file created with rwp2yaf2silk has the flowtype of its
records set to 0, which is "all/in".

Unfortunately, there not a way to assign a flowtype to the records
in a file without processing the file with rwflowpack, which will
split in incoming file into several output files.

The easiest way to find the flow records in your input file that
would be categorized as "ext2ext" would be create an IPset that
contains the internal IP space of your organization, and then run

 rwfilter --not-sipset=internal.set --not-dipset=internal.set \
     pass=ext2ext.rw input.rw

where internal.set is the IPset of internal IPs, input.rw is the
file created by rwp2yaf2silk, and ext2ext.rw is the output file that
contains flow records that would be categorized as external to
external.

I hope that helps.

-Mark


-----Original Message-----
From: Hosam Hittini <hosam.hittini at ies.etisalat.ae>
Date: Wed, 2 Sep 2015 08:31:47 +0400
To: <netsa-tools-discuss at cert.org>
Cc: 'Majid Qureshi' <mmajid at ies.etisalat.ae>
Subject: [netsa-tools-discuss] Using rwfilter to search a generated record
	file

Hi,

 

If I generated a record file from a PCAP file using rwp2yaf2silk

Would rwfilter be able to determine if the traffic in that file is external
to external according to its configuration?

Thanks in advance

 

Regards,

Hosam Hittini

M: +971 50 3343 585

System Security Maintenance & Support

Etisalat