Software Engineering Institute

SEI Blog

Baseline Network Flow Examples

Angela Horneman

March 20, 2015

PUBLISHED IN

CERT/CC Vulnerabilities

TAGS

Network Situational Awareness Security Vulnerabilities CERT/CC

Hi. This is Angela Horneman of the SEI's Situational Awareness team. I've generated service specific network flows to use as baseline examples for network analysis and am sharing them since others may find them helpful.

We have been looking at implementing Network Profiling in Analysis Pipeline to automatically generate lists of active servers and to alert when new IPs start acting as servers. As part of this initiative, we started looking at alternatives to using flags in the identification process, since not all collection methods capture TCP flag data. In this process, I looked for example network flows for verified services.

I found pcaps and some network flows that probably had the examples of the services, but I didn't find any network flows explicitly for most of the services we are profiling. Because of that, I generated my own examples and am sharing them since I am sure others will find them helpful. Stay tuned since further developments related to profiling methods should be coming in the near future.

I generated flows for TELNET, FTP, PPTP, DNS, HTTP, SSH, and NTP as services we are working to profile. For each TELNET, FTP, PPTP, DNS, and SSH, the servers were configured on a Fedora LinuxVM, equipped with YAF and SiLK. I generated flows with a Fedora Linux box as the client, and I repeated this with a Windows 7 Enterprise box as the client for most services. Flow fields in the examples are as seen in SiLK.

The examples appear below. Do you have samples of other services or do you access these services with other operating systems? If so, please share! Reach us online at http://www.cert.org/netsa/contact.cfm.

SSH

Fedora Linux

OpenSSH server, accessed with ssh command. Server is 10.10.0.1.

Client logged in, listed the directory, and then exited.

SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
10.10.0.2	10.10.0.1	36257	22	6	42	5449	FSPA	48.01.120
10.10.0.1	10.10.0.2	22	36257	6	33	4829	FSPA	48.01.120

Windows 7 Enterprise

OpenSSH server, accessed with Putty. Server is 10.10.0.1.

Client logged in, listed the directory, and then exited.

SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
10.10.0.2	10.10.0.1	22	61808	6	48	5256	FSPA	02:46.642
10.10.0.1	10.10.0.2	61808	22	6	45	7377	FSPA	02:46.642

TELNET

Fedora Linux

Accessed with telnet command. Server is 10.10.0.1.

Client logged in, listed the directory, and then exited.

SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
10.10.0.2	10.10.0.1	37945	23	6	52	2947	FSPA	50:53.200
10.10.0.1	10.10.0.2	23	37945	6	37	2265	FSPA	50:53.200

Windows 7 Enterprise

Accessed with Putty. Server is 10.10.0.1.

Client logged in, listed the directory, and then exited.

SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
10.10.0.2	10.10.0.1	61359	23	6	55	2317	FSPA	06:38.441
10.10.0.1	10.10.0.2	23	61359	6	42	2083	FSPA	06:38.441

Active FTP

Fedora Linux

VSFTP server, accessed with ftp command. Server is 10.10.0.2.

Client logged in, listed the directory, and then exited.

Flow 1 is command channel. Flow 2 is data channel.

FLOW	SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
1	10.10.0.1	10.10.0.2	43503	21	6	15	853	FSPA	08:14.690
1	10.10.0.2	10.10.0.1	21	43503	6	14	960	FSPA	08:14.690
2	10.10.0.2	10.10.0.1	20	51583	6	4	216	FSA	08:25.699
2	10.10.0.1	10.10.0.1	51583	20	6	2	112	FSA	08:25.699

Passive FTP

Fedora Linux

VSFTP server, accessed with ftp command. Server is 10.10.0.2.

Client logged in, listed the directory, and then exited.

Flow 1 is command channel. Flow 2 is data channel.

FLOW	SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
1	10.10.0.1	10.10.0.2	43507	21	6	15	836	FSPA	21:46.314
1	10.10.0.2	10.10.0.1	21	43507	6	14	956	FSPA	21:46.314
2	10.10.0.1	10.10.0.2	50224	10099	6	3	164	FSA	21:54.314
2	10.10.0.2	10.10.0.1	10099	50224	6	3	164	FSA	21:54.314

Windows 7 Enterprise

VSFTP server, accessed with cURL. Server is 10.10.0.2.

Client logged in, checked the current path, listed the directory, and then exited.

Flow 1 is command channel. Flow 2 is data channel.

FLOW	SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
1	10.10.0.1	10.10.0.2	61597	21	6	13	774	FSPA	23:32.990
1	10.10.0.2	10.10.0.1	21	61597	6	12	561	FSPA	23:32.990
2	10.10.0.1	10.10.0.2	10091	61598	6	4	233	FSPA	23:33.005
2	10.10.0.2	10.10.0.1	61598	10091	6	4	172	FSA	23:33.005

PPTP

Fedora Linux

Created connection with pppd call pptpserver command. Server is 10.10.0.2.

Client created connection and then closed connection. Client closing connection did not immediately close the flow.

SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME	DUR
10.10.0.1	10.10.0.2	57722	1723	6	11	936	FSPA	23:39.877	94.742
10.10.0.2	10.10.0.1	1723	57722	6	6	528	FSPA	23:39.877	94.742
10.10.0.1	10.10.0.2	0	0	47	10	540		23:40.890	0.530
10.10.0.2	10.10.0.1	0	0	47	10	566		23:40.890	0.530

Windows 7 Enterprise

Used Network and Sharing Center to create a connection. Server is 10.10.0.2.

Client created connection and then closed connection. Client closing connection did not immediately close the flow.

SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME	DUR
10.10.0.1	10.10.0.2	61327	1723	6	10	824	FSPA	07:36.522	59.847
10.10.0.2	10.10.0.1	1723	61327	6	10	600	FSPA	07:36.522	59.847
10.10.0.1	10.10.0.2	0	0	47	53	5114		07:36.533	59.203
10.10.0.2	10.10.0.1	0	0	47	44	3277		07:36.533	59.203

DNS

Fedora Linux

Generated with ping command. Server is 10.10.0.2.

Client pinged google.com.

SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
10.10.0.1	10.10.0.2	60275	53	17	1	56		02:43.290
10.10.0.2	10.10.0.1	53	60275	17	1	232		02:43.290

Windows 7 Enterprise

Generated with ping command. Client is 10.10.0.1.

Client pinged google.com.

SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
10.10.0.1	173.194.121.3	63786	53	17	1	60		15:02.949
173.194.121.3	10.10.0.1	53	63786	17	1	276		15:02.949

HTTP

Fedora Linux

Accessed with cURL. Client is 10.10.0.1.

Client got www.cmu.edu.

SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
10.10.0.1	128.2.42.52	47994	80	6	6	335	FSPA	18:37.558
128.2.42.52	10.10.0.1	80	47994	6	5	861	FSPA	18:37.558

Windows 7 Enterprise

Accessed with cURL. Client is 10.10.0.1.

Client got www.cmu.edu.

SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
10.10.0.1	128.2.42.52	61953	80	6	5	287	FSPA	46:37.801
128.2.42.52	10.10.0.1	80	61953	6	5	869	FSPA	46:37.801

NTP

Fedora Linux

Client is 10.10.0.1.

Client automatically checked time. Note: Both client and server used port 123, instead of client using an ephemeral port.

SIP	DIP	SPORT	SPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
10.10.0.1	216.229.4.69	123	123	17	1	76		14:24.996
216.229.4.69	10.10.0.1	123	123	17	1	76		14:24.996

Windows 7 Enterprise

Client is 10.10.0.1.

Client automatically checked time. Received unreachable message.

SIP	DIP	SPORT	DPORT	PROTOCOL	PACKETS	BYTES	FLAGS	STIME
10.10.0.1	208.75.89.4	60696	123	17	1	76		23:11.397
10.10.0.1	10.10.0.1	0	771	17	2	112		23:11.398

Written By

Angela Horneman

Digital Library Publications

Send a Message

More By The Author

Benefits and Challenges of SOAR Platforms

March 1, 2021 • By Angela Horneman, Justin Ray

Is Your Organization Using Cybersecurity Analysis Effectively?

August 31, 2020 • By Angela Horneman

AI Engineering: 11 Foundational Practices for Decision Makers

December 9, 2019 • By Ipek Ozkaya, Angela Horneman, Andrew O. Mellinger

Situational Awareness for Cybersecurity: Three Key Principles of Effective Policies and Controls

November 18, 2019 • By Angela Horneman

Situational Awareness for Cybersecurity: Assets and Risk

October 16, 2019 • By Angela Horneman, Lauren Cooper

More In CERT/CC Vulnerabilities

The Threat of Deprecated BGP Attributes

June 3, 2024 • By Leigh B. Metcalf, Timur D. Snoke

UEFI: 5 Recommendations for Securing and Restoring Trust

June 26, 2023 • By Vijay S. Sarvepalli

Vultron: A Protocol for Coordinated Vulnerability Disclosure

September 26, 2022 • By Allen D. Householder

UEFI – Terra Firma for Attackers

August 1, 2022 • By Vijay S. Sarvepalli

Probably Don’t Rely on EPSS Yet

June 6, 2022 • By Jonathan Spring

PUBLISHED IN

CERT/CC Vulnerabilities

TAGS

Network Situational Awareness Security Vulnerabilities CERT/CC

Get updates on our latest work.

Sign up to have the latest post sent to your inbox weekly.

Subscribe Get our RSS feed

More In CERT/CC Vulnerabilities

The Threat of Deprecated BGP Attributes

June 3, 2024 • By Leigh B. Metcalf, Timur D. Snoke

UEFI: 5 Recommendations for Securing and Restoring Trust

June 26, 2023 • By Vijay S. Sarvepalli

Vultron: A Protocol for Coordinated Vulnerability Disclosure

September 26, 2022 • By Allen D. Householder

UEFI – Terra Firma for Attackers

August 1, 2022 • By Vijay S. Sarvepalli

Probably Don’t Rely on EPSS Yet

June 6, 2022 • By Jonathan Spring

Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed