CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

Normally SiLK flow records get stamped with a class as flow records are recorded in the repository. However, if you're importing raw packet data or need to change some records that inadvertantly have the wrong class/type, that's easy to fix with pySiLK.

The example below sets the class to "all" and assigns a type of in, inweb, out or outweb to each record in an input file. The direction (in or out) is defined by an ipset that represents the internal network (traffic that neither comes from nor goes to the internal network is discarded in this example). Web/non-web flows are separated based on port.

SetClassType.py
#! /usr/bin/python2.4

from silk import *
import silk.site
import sys                              # for command line args
from datetime import timedelta          # for date math

webports    = (80,443,8080)
inwebtype   = ("all","inweb")
intype      = ("all","in")
outwebtype  = ("all","outweb")
outtype     = ("all","out")

def main():


    if len(sys.argv) != 4:
        print ("Usage:  %s infile setfile outfile" % sys.argv[0])
        sys.exit(1)


    #  open the SiLK file for reading
    infile = SilkFile (sys.argv[1], READ)

    #  open the set file which represents my internal network
    print sys.argv[2]
    setfile = IPSet.load (sys.argv[2])

    # open the modified output file
    outfile = SilkFile (sys.argv[3], WRITE)

    #  loop over the records in the file, shift time and write the update:
    for rec in infile:
        #
        #  If the src ip is in the set, it's going out.
        #  If the dst ip is in the set, it's coming in.
        #  If neither IP is in the set, discard the record.
        #
        if (rec.sport in webports) or (rec.dport in webports):
            if rec.sip in setfile:
                rec.classtype = outwebtype
                outfile.write (rec)
            elif rec.dip in setfile:
                rec.classtype = inwebtype
                outfile.write (rec)
        else:
            if rec.sip in setfile:
                rec.classtype = outtype
                outfile.write (rec)
            elif rec.dip in setfile:
                rec.classtype = intype
                outfile.write (rec)

    # clean up
    outfile.close()
    infile.close()

if __name__ == '__main__':
    main()

  • No labels