Analysis Pipeline 4.5.1

The Analysis Pipeline is designed to run as a daemon as part of the SiLK collection and packing process, where it inspects every SiLK Flow record as the records are created. The Analysis Pipeline supports several analyses, including watch list alerting, beacon detection, passive FTP detection, and IPv6 tunnel detection. The textual output from the Analysis Pipeline can be fed to a security information and event manager (SIEM).

Analysis Pipeline 5.11.3

The Analysis Pipeline 5.11 is a streaming analysis tool than can process more than just SiLK flows as done in version 4.x. It can now process YAF records and raw IPFIX records. It can do all of the analyses available in version 4.x. A notable enhancement is expansive DNS record processing. This includes fast flux detection and domain name watchlisting.


The CERT IPFIX Registry is a list of Private Enterprise IPFIX elements that have been defined by CERT to extend the list of IPFIX elements defined by IANA. These elements are used and generated by other tools in the CERT NetSA Security Suite.

fixbuf 2.4.1

The fixbuf library provides a set of functions for processing the IPFIX protocol message format. Using fixbuf, developers can build IPFIX Collecting and Exporting Processes. pyfixbuf provides a Python API to the fixbuf library.

IPA 0.5.2

IP Association (IPA) is a suite of tools and libraries which aims to provide a flexible repository of IP address data and metadata.

iSiLK 0.6.2

iSiLK is a graphical front-end for the SiLK tools, designed to work with an existing installation of the SiLK analysis suite. The application uses the SSH protocol to connect to an analysis server, run SiLK command-line tools and copy data files. It provides an easy-to-use alternative interface to the core functionality of the SiLK tool suite.

netsa-python 1.5

The netsa-python library is a grab-bag of Python routines and frameworks that we have found helpful when developing analyses using the SiLK toolkit.

Orcus 1.0.3

Orcus is a system for analyzing passively-collected DNS information. It includes a capability for analyzing all DNS information that has been seen (the “resource record database”), as well as a faster name-to-address mapping with daily resolution (the “name database”).

Perl Extensions

CERT has written several Perl XS extenstions to enable use of SiLK and other networking and packet-related libraries in Perl.

pyfixbuf 0.8.1

pyfixbuf is a Python API for libfixbuf, an implementation of the IPFIX protocol used for building collecting and exporting processes. pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX. Mediators are useful in modifying, filtering, or adding to the content of the message before forwarding to another IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).

Rayon 1.4.3

Rayon is a Python library and set of tools for generating basic two-dimensional statistical visualization. Rayon can be used to automate reporting; provide command-line, GUI or web applications; or do ad-hoc exploratory data analysis.

schemaTools 1.3

schemaTools is a library of middleware for the Analysis Pipeline that provides a standard way of describing data upon arrival.

SiLK 3.19.1

The System for Internet Level Knowledge (SiLK) is an efficient network flow collection and storage infrastructure that will accept flow data from a variety of sensors. SiLK also provides a suite of efficient command-line tools for analysis.

SiLK IPset 3.18.0

SiLK IPset is a subset of the SiLK distribution that packages the command line tools to manipulate IPsets and a smaller version of the SiLK library for manipulating IPsets. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.

snarf 0.3.0

snarf is a distributed alert reporting system. Applications can use snarf`s libraries to send network alert messages, which can then be routed to multiple destinations in a configurable manner. snarf is designed to allow application and script developers to emit network alert messages without being concerned with the details of how the messages will be formatted downstream, or what destinations they will be routed to.

super_mediator 1.8.0

super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.

YAF 2.12.1

Yet Another Flow Sensor (YAF) processes packet data into bidirectional flow records that can be used as input to an IPFIX Collecting Process. YAF's output can be used with super_mediator, Pipeline 5, and the SiLK tools.