CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

Prefix maps (pmaps) are an extremely useful way to associate arbitrary values with address ranges. The values can be used in rwfilter queries and many other SiLK tools including rwsort, rwuniq and rwcut. However, when building the text prefix map, be sure to put the most general attributes first in the list.

For example, suppose we administer the address block 12.0.0.0/8, and would like to report on address ranges delegated within the organization. A prefix map can be used as follows to show utilization for each address block, as well as unallocated (and presumably unauthorized) usage.

  $ cat network.pmap.txt
  12.0.0.0/8 Assigned, Unallocated
  12.1.0.0/16 RESERVED
  12.38.0.0/16 Client Network 1
  12.127.0.0/16 Data Center (Primary)
  12.130.0.0/16 Client Network 2
  12.154.0.0/16 Client Network 3
  12.186.0.0/16 Data Center (Secondary)
  12.210.0.0/16 RESERVED

  $ rwpmapbuild --in=network.pmap.txt --out=network.pmap

  $ rwfilter --start=2007/07/30:00 --saddr=12.x.x.x --pass=stdout \
     | rwuniq --pmap-file=network.pmap --fields=sval --bytes

                     sval|               Bytes|
                 RESERVED|               39749|
    Data Center (Primary)|               87621|
    Assigned, Unallocated|             4296212|
         Client Network 2|              545848|
  Data Center (Secondary)|               18228|
         Client Network 1|              112404|
         Client Network 3|               68820|

If we instead placed the most general entry at the bottom, it would overwrite the other entries:

  $cat network.pmap.txt

  12.1.0.0/16 RESERVED
  12.38.0.0/16 Client Network 1
  12.127.0.0/16 Data Center (Primary)
  12.130.0.0/16 Client Network 2
  12.154.0.0/16 Client Network 3
  12.186.0.0/16 Data Center (Secondary)
  12.210.0.0/16 RESERVED
  12.0.0.0/8 Assigned, Unallocated

  $ rwpmapbuild --in=network.pmap.txt --out=network.pmap

  $ rwfilter --start=2007/07/30:00 --saddr=12.x.x.x --pass=stdout \
     | rwuniq --pmap-file=network.pmap --fields=sval --bytes

                      sval|               Bytes|
     Assigned, Unallocated|             5168882|

  $ rwpmapcat --map-file=network.pmap

           ipBlock|                  label|
         0.0.0.0/5|                UNKNOWN|
         8.0.0.0/6|                UNKNOWN|
        12.0.0.0/8|  Assigned, Unallocated|
        13.0.0.0/8|                UNKNOWN|
        14.0.0.0/7|                UNKNOWN|
        16.0.0.0/4|                UNKNOWN|
        32.0.0.0/3|                UNKNOWN|
        64.0.0.0/2|                UNKNOWN|
       128.0.0.0/1|                UNKNOWN|

Note

rwpmapcat lists all possible addresses from 0.0.0.0 to 255.255.255.255 and their labels.
The default label is "UNKNOWN" unless the default is set to something else.

The best way to make sure your entries are properly ordered is to explicitly order them before compiling the prefix map. When the data uses the CIDR-block format, a sort command will often produce the proper output:

  $ cat network.pmap.txt

  12.1.0.0/16 RESERVED
  12.38.0.0/16 Client Network 1
  12.127.0.0/16 Data Center (Primary)
  12.130.0.0/16 Client Network 2
  12.154.0.0/16 Client Network 3
  12.186.0.0/16 Data Center (Secondary)
  12.210.0.0/16 RESERVED
  12.0.0.0/8 Assigned, Unallocated

  $ sort -n -k 2 -t "/" network.pmap.txt   # Sort by bitmask size (small bitmask=large netblock)

  12.0.0.0/8 Assigned, Unallocated
  12.1.0.0/16 RESERVED
  12.127.0.0/16 Data Center (Primary)
  12.130.0.0/16 Client Network 2
  12.154.0.0/16 Client Network 3
  12.186.0.0/16 Data Center (Secondary)
  12.210.0.0/16 RESERVED
  12.38.0.0/16 Client Network 1
  • No labels