



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A comprehensive overview of network security monitoring (nsm), focusing on session data, flow records, and the silk toolset for analysis. it details various flow record types, generation approaches (hardware and software), and the functionalities of tools like netflow, ipfix, and silk. The document also explains data filtering and analysis techniques using silk's rwfilter and rwcut tools, along with argus, another flow analysis suite. the educational value lies in its practical explanation of network monitoring concepts and tools.
Typology: Exams
1 / 6
This page cannot be seen from the preview
Don't miss anything!




Session data - correct answer Session data is the summary of the communication between two network devices This summary data is one of the most flexible and useful forms of NSM data It is also known as a conversation or a flow Session data doesn't give you the "What", but it does give you the "Who, Where and When" It has smaller size and is much quicker to parse and analyze Session Data - correct answer Transport Protocol Source IP address and port Destination IP address and port Timestamp of when the communication began and ended Amount of data transferred between two devices Flow Records - correct answer A flow record is an aggregated record of packets The aggregation can occur differently depending upon which tool is being used to generate and parse the data A flow record is identified based upon five attributes that make up the standard 5-tuple Data will be appended to same flow record as long as packets matching the 5-tuple attribute values are observed Flow Record Types - correct answer NetFlow IPFIX Other Flow Types Flow Record Termination Condition - correct answer 1. Natural Timeout: Communication naturally ends based upon a specification of the protocol e.g. RST packets or FIN sequences in TCP.
SiLK Packing Toolset - 1 - correct answer The SiLK packing system has eight different tools used to accept and legitimize incoming flows As previously mentioned, rwflowpack is a tool used to accept flow data from flow generators defined by SiLK's two primary configuration files, silk.conf and sensor. conf, and then convert and sort the data into specific binary files suitable for SiLK's analysis suite to parse. Forwarding flow data directly to an rwflowpack listener is the least complicated method of generating SiLK session data. Often the need arises for an intermediary to temporarily store and forward data between the generator and collector. For this, flowcap can be utilized SiLK Packing Toolset - 2 - correct answer In most cases, flowcap can be considered a preprocessor to rwflowpack in that it first takes the flow data and sorts it into appropriate bins based on flow source and a unit or time variable. The SiLK documentation describes this as storing the data in "one file per source per quantum," with a quantum being either a timeout or a maximum file size. The packing system also has a number of postprocessing abilities with tools such as rwflowappend, rwpackchecker, and rwpollexec. Rwflowappend and Rwpackchecker do exactly what they say; rwflowappend will append SiLK records to existing records and rwpackchecker checks for data integrity and SiLK file corruptions. SiLK Packing Toolset - 3 - correct answer Rwpollexec will monitor the incoming SiLK data files and run a user-specified command against each one. Rwflowappend, rwpackchecker and rwpollexec can be referred to as postprocessors because they further massage the SiLK data after rwflowpack has converted the raw flows into binary SiLK files. The moral of this story is that there are more than enoughways to get your data to rwflowpack for conversion into SiLK binary files SiLK Flow Types - correct answer In: Inbound to a device on an internal network Out: Outbound to a device on an external network Int2int: From an internal network to same or another internal network
Ext2ext: From an external network to same or another external network Inweb: Inbound to a device on an internal network using either port 80, 443 or 8080 Outweb: Outbound to a device on an external network using either port 80, 443 or 8080 Inicmp: Inbound to a device on an internal network using ICMP Outicmp: Outbound to a device on an external network using ICMP Innull: Inbound filtered traffic or inbound traffic to null-ipblocks Outnull: Outbound filtered traffic or outbound traffic to null-ipblocks Other: Source not internal or external, or destination not internal or external Filtering Flow Data with Rwfilter - correct answer Rwfilter is the most commonly used tool in SiLK Rwfilter takes the SiLK binary files and filters through them to provide only the specific data that the analyst requires With it any analyst can focus the scope of a network incident with a speed unmatched by any other data type SiLK can be used to either resolve network incidents, or to filter down a large data set to a manageable size Piping Data Between Rwtools - correct answer A number of rwtools are available for piping data from one rwtool to another Rwfilter strictly manipulates and narrows down data fed to it from binary files and reproduces other binary files based on filter options Binary data can be piped to rwcut in order to convert it to human readable ASCII data in the terminal window Rwcut is the most basic rwtool used to translate data to an analyst in a readable form Collecting and Analyzing Flow Data with Argus - correct answer It provides a comprehensive systematic view of all network traffic in real time Argus is a bi-directional flow analysis suite that tracks both sides of network conversations Argus has its own statistical analysis tools and detection/alerting mechanisms Argus Solution Architecture - correct answer Argus consists of two main packages as