[netsa-tools-discuss] results with rwfilter

Kirk Olson Kirk_Olson at secura.net
Tue Apr 14 14:15:20 EDT 2020


This is a listing of the files from that date and time range for the ‘other’ interface:

root at ho-nflo-p01:/var/silk/data/ACIDVS/other/2020/04/10
# ls -l
total 1374016
-rw-r--r--. 1 root root 44224150 Apr  9 20:01 other-ACIDVS_20200410.00
-rw-r--r--. 1 root root 43200665 Apr  9 21:01 other-ACIDVS_20200410.01
-rw-r--r--. 1 root root 41982301 Apr  9 22:01 other-ACIDVS_20200410.02
-rw-r--r--. 1 root root 42619125 Apr  9 23:01 other-ACIDVS_20200410.03
-rw-r--r--. 1 root root 41649718 Apr 10 00:01 other-ACIDVS_20200410.04
-rw-r--r--. 1 root root 41644788 Apr 10 01:01 other-ACIDVS_20200410.05
-rw-r--r--. 1 root root 42162897 Apr 10 02:01 other-ACIDVS_20200410.06
-rw-r--r--. 1 root root 41727902 Apr 10 03:01 other-ACIDVS_20200410.07
-rw-r--r--. 1 root root 42424289 Apr 10 04:01 other-ACIDVS_20200410.08
-rw-r--r--. 1 root root 42407836 Apr 10 05:01 other-ACIDVS_20200410.09
-rw-r--r--. 1 root root 43920145 Apr 10 06:01 other-ACIDVS_20200410.10
-rw-r--r--. 1 root root 49540809 Apr 10 07:01 other-ACIDVS_20200410.11
-rw-r--r--. 1 root root 71051606 Apr 10 08:01 other-ACIDVS_20200410.12
-rw-r--r--. 1 root root 90763427 Apr 10 09:01 other-ACIDVS_20200410.13
-rw-r--r--. 1 root root 88600482 Apr 10 10:01 other-ACIDVS_20200410.14
-rw-r--r--. 1 root root 87345780 Apr 10 11:01 other-ACIDVS_20200410.15
-rw-r--r--. 1 root root 83427188 Apr 10 12:01 other-ACIDVS_20200410.16
-rw-r--r--. 1 root root 80043063 Apr 10 13:01 other-ACIDVS_20200410.17
-rw-r--r--. 1 root root 80887265 Apr 10 14:01 other-ACIDVS_20200410.18
-rw-r--r--. 1 root root 80369211 Apr 10 15:01 other-ACIDVS_20200410.19
-rw-r--r--. 1 root root 73476544 Apr 10 16:01 other-ACIDVS_20200410.20
-rw-r--r--. 1 root root 62093703 Apr 10 17:01 other-ACIDVS_20200410.21
-rw-r--r--. 1 root root 47637669 Apr 10 18:01 other-ACIDVS_20200410.22
-rw-r--r--. 1 root root 43749258 Apr 10 19:01 other-ACIDVS_20200410.23

From: Timur David Snoke <tdsnoke at cert.org>
Sent: Tuesday, April 14, 2020 12:24 PM
To: Kirk Olson <Kirk_Olson at secura.net>; Angela Horneman <ahorneman at cert.org>; netsa-tools-discuss at cert.org
Subject: Re: [netsa-tools-discuss] results with rwfilter

Hi Kirk,

Your selection criteria might be too limiting, in the example that you presented you are looking for any UDP traffic to or from 172.18.18.151 between April 10 at 09:00 and April 12 at 11:00.

Try something that you know will get a result for a shorter time period to get a quicker validation that you have content.

rwfilter --start=2020/04/10T09 --sensor=ACIDVS --type=all  --protocol=0- --pass=/tmp/netstat/ACIDVS-2020041009.rw --site-config-file=/var/silk/data/silk.conf

This will query for all traffic seen by the sensor during the hour of April 10 at 09:00 and write it to a file.

You can also look at your data repository for the date/time in question and confirm that you have content.

-Timur Snoke

From: <netsa-tools-discuss-bounces+tdsnoke=cert.org at cert.org<mailto:netsa-tools-discuss-bounces+tdsnoke=cert.org at cert.org>> on behalf of Kirk Olson <Kirk_Olson at secura.net<mailto:Kirk_Olson at secura.net>>
Date: Tuesday, April 14, 2020 at 1:07 PM
To: Angela Horneman <ahorneman at cert.org<mailto:ahorneman at cert.org>>, "netsa-tools-discuss at cert.org<mailto:netsa-tools-discuss at cert.org>" <netsa-tools-discuss at cert.org<mailto:netsa-tools-discuss at cert.org>>
Subject: Re: [netsa-tools-discuss] results with rwfilter

My apologies Angela, this is the command which returns no data:

rwfilter --start=2020/04/10T09 --end=2020/04/12T11 --sensor=ACIDVS --type=all --any-address=172.18.18.151 --protocol=17 --pass=/tmp/netstat/HOCA01udp.rw --site-config-file=/var/silk/data/silk.conf


From: Angela Horneman <ahorneman at cert.org<mailto:ahorneman at cert.org>>
Sent: Tuesday, April 14, 2020 11:52 AM
To: Kirk Olson <Kirk_Olson at secura.net<mailto:Kirk_Olson at secura.net>>; netsa-tools-discuss at cert.org<mailto:netsa-tools-discuss at cert.org>
Subject: Re: [netsa-tools-discuss] results with rwfilter

Hi Kirk,

In the command below you have a start year of 2020 and an end of 2015.


Angela Horneman
Situational Awareness Analysis Team Lead
CMU/SEI/CERT



From: <netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org<mailto:netsa-tools-discuss-bounces+ahorneman=cert.org at cert.org>> on behalf of Kirk Olson <Kirk_Olson at secura.net<mailto:Kirk_Olson at secura.net>>
Date: Tuesday, April 14, 2020 at 12:46 PM
To: "netsa-tools-discuss at cert.org<mailto:netsa-tools-discuss at cert.org>" <netsa-tools-discuss at cert.org<mailto:netsa-tools-discuss at cert.org>>
Subject: [netsa-tools-discuss] results with rwfilter

I have been using the following rwfilter command to pull data from a sensor named ACIDVS:

rwfilter --start=2020/04/10T09 --end=2015/06/17T11 --sensor=ACIDVS --type=all --any-address=172.18.18.151 --protocol=17 --pass=HOCA01udp.rw

rwfilter does build a resultant file with headers in the top row but there is no data from the sensor in the file. Is there something simple I am missing here? I have read the docs and it is not obvious to me where I might be going wrong.

Thank you for your time.
-Kirk


Kirk Olson
Information Security Engineer
Direct: 920-224-7426
Toll Free: 800-558-3405 ext. 7426
[cid:16b8a6c7a1e6d227b41]<https://www.secura.net/>
website | blog | Facebook | Twitter | LinkedIn<https://www.secura.net/>
 <https://www.secura.net/>
Recognized among Ward’s Top 50 and rated A Excellent by A.M. Best. <https://www.secura.net/>
Confidentiality Note: This email may contain confidential and/or private information. If you received this email in error, please delete and notify sender.<https://www.secura.net/>
-------------- next part --------------
HTML attachment scrubbed and removed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3705 bytes
Desc: image001.jpg
URL: <http://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/attachments/20200414/ce290b64/attachment.jpg>


More information about the netsa-tools-discuss mailing list