[netsa-tools-discuss] SiLK — rwscan

Mark Thomas mthomas at cert.org
Mon Aug 24 18:45:08 EDT 2020 

Chris-

The textual output contains the IP of the scanner (sip column), the protocol (proto), and the times when the scanner was active (stime and etime):

             sip| proto|                   stime|                   etime|     flows|   packets|     bytes|
     10.15.3.105|     6|     2009-02-14 07:50:23|     2009-02-14 07:56:52|       256|       256|     10240|
   10.36.235.163|     6|     2009-02-13 12:59:49|     2009-02-13 13:06:35|       256|       256|     10240|


To find the IPs in your network that were targets of scanning, you first need to write an rwfilter query that uses those columns as the values to partition on.  As as example, for the first row:

  rwfilter --type=in,inweb \
    --saddr=10.15.3.105 \
    --proto=6 \
    --start-date=2009/02/14T07 \
    --stime=2009/02/14T07:50:23 \
    --etime=2009/02/14T07:56:52 \
    --pass=scanning-activity.rw

One you have the scanning-activity.rw file, you can get the destination IPs (the targets) by using rwset and rwsetcat:

  rwset --dip=target-ips.set scanning-activity.rw

  rwsetcat target-ips.set

Doing that for every row of output would be annoying, but it is doable with a script in written Python or Perl.

For something less precise (in that it may include IPs that were not part of the scan), you use the first column to make an IPset and then look for any activity from those IPs.  If you only use rows that use the same protocol and occur around the same time, you may include those limits in your rwfilter invocation.

I do not see how bag files integrate with rwscan.  If you could provide more information on what you are trying to do, I may be able to provide a better answer.

The threshold random walk (TRW) scan analysis needs to have a set of internal IPs that you are checking as being the target of a scan.  That set could contain only a few IPs or it could contain your entire internal network.

The rwscan analysis should be run on incoming data (--type=in,inweb).  After you have identified scan traffic, you could look at the outgoing data to determine if there were responses to the scan.

Finally, note that rwscan has tuning parameters whose default values have not been modified in many years, so I do not know how accurate it is when checking today's network traffic using the default settings.

-Mark


-----Original Message-----
From: Chris Frazier <chris200712 at icloud.com>
Date: Wed, 19 Aug 2020 21:58:28 -0400
To: Daniel J Ruef <druef at cert.org>, "netsa-tools-discuss at cert.org"
	<netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] SiLK — rwscan

Any chance I could get clarification on rwscan and the usage of bags to detect scanning activity?

In identifying that a external host is a scanner, how can one find who
is being scanned? Is this where the internal set comes to play? Would
you utilize type=in to identify pivots? When incorporating rwscan with
bags, can i define custom alerting options where pipeline creates
ascii alerts in an entirely separate location than alerts defined in
separate .conf files?

Thank you!!

[cid:851509bd-982e-4062-b810-6908187d4711 at sei.cmu.edu]


Sent from my iPhone

More information about the netsa-tools-discuss mailing list