SEI Insights

CERT/CC Blog

Vulnerability Insights

Baseline Network Flow Examples

Posted on by in

Hi. This is Angela Horneman of the SEI's Situational Awareness team. I've generated service specific network flows to use as baseline examples for network analysis and am sharing them since others may find them helpful.

We have been looking at implementing Network Profiling in Analysis Pipeline to automatically generate lists of active servers and to alert when new IPs start acting as servers. As part of this initiative, we started looking at alternatives to using flags in the identification process, since not all collection methods capture TCP flag data. In this process, I looked for example network flows for verified services.

I found pcaps and some network flows that probably had the examples of the services, but I didn't find any network flows explicitly for most of the services we are profiling. Because of that, I generated my own examples and am sharing them since I am sure others will find them helpful. Stay tuned since further developments related to profiling methods should be coming in the near future.

I generated flows for TELNET, FTP, PPTP, DNS, HTTP, SSH, and NTP as services we are working to profile. For each TELNET, FTP, PPTP, DNS, and SSH, the servers were configured on a Fedora Linux VM, equipped with YAF and SiLK. I generated flows with a Fedora Linux box as the client, and I repeated this with a Windows 7 Enterprise box as the client for most services. Flow fields in the examples are as seen in SiLK.

The examples appear below. Do you have samples of other services or do you access these services with other operating systems? If so, please share! Reach us online at http://www.cert.org/netsa/contact.cfm.

SSH

Fedora Linux

OpenSSH server, accessed with ssh command. Server is 10.10.0.1.

Client logged in, listed the directory, and then exited.

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

10.10.0.2

10.10.0.1

36257

22

6

42

5449

FSPA

48.01.120

10.10.0.1

10.10.0.2

22

36257

6

33

4829

FSPA

48.01.120

Windows 7 Enterprise

OpenSSH server, accessed with Putty. Server is 10.10.0.1.

Client logged in, listed the directory, and then exited.

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

10.10.0.2

10.10.0.1

61808

22

6

48

5256

FSPA

02:46.642

10.10.0.1

10.10.0.2

22

61808

6

45

7377

FSPA

02:46.642

TELNET

Fedora Linux

Accessed with telnet command. Server is 10.10.0.1.

Client logged in, listed the directory, and then exited.

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

10.10.0.2

10.10.0.1

37945

23

6

52

2947

FSPA

50:53.200

10.10.0.1

10.10.0.2

23

37945

6

37

2265

FSPA

50:53.200

Windows 7 Enterprise

Accessed with Putty. Server is 10.10.0.1.

Client logged in, listed the directory, and then exited.

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

10.10.0.2

10.10.0.1

61359

23

6

55

2317

FSPA

06:38.441

10.10.0.1

10.10.0.2

23

61359

6

42

2083

FSPA

06:38.441

Active FTP

Fedora Linux

VSFTP server, accessed with ftp command. Server is 10.10.0.2.

Client logged in, listed the directory, and then exited.

Flow 1 is command channel. Flow 2 is data channel.

FLOW

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

1

10.10.0.1

10.10.0.2

43503

21

6

15

853

FSPA

08:14.690

1

10.10.0.2

10.10.0.1

21

43503

6

14

960

FSPA

08:14.690

2

10.10.0.2

10.10.0.1

20

51583

6

4

216

FSA

08:25.699

2

10.10.0.1

10.10.0.1

51583

20

6

2

112

FSA

08:25.699

Passive FTP

Fedora Linux

VSFTP server, accessed with ftp command. Server is 10.10.0.2.

Client logged in, listed the directory, and then exited.

Flow 1 is command channel. Flow 2 is data channel.

FLOW

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

1

10.10.0.1

10.10.0.2

43507

21

6

15

836

FSPA

21:46.314

1

10.10.0.2

10.10.0.1

21

43507

6

14

956

FSPA

21:46.314

2

10.10.0.1

10.10.0.2

50224

10099

6

3

164

FSA

21:54.314

2

10.10.0.2

10.10.0.1

10099

50224

6

3

164

FSA

21:54.314

Windows 7 Enterprise

VSFTP server, accessed with cURL. Server is 10.10.0.2.

Client logged in, checked the current path, listed the directory, and then exited.

Flow 1 is command channel. Flow 2 is data channel.

FLOW

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

1

10.10.0.1

10.10.0.2

61597

21

6

13

774

FSPA

23:32.990

1

10.10.0.2

10.10.0.1

21

61597

6

12

561

FSPA

23:32.990

2

10.10.0.1

10.10.0.2

10091

61598

6

4

233

FSPA

23:33.005

2

10.10.0.2

10.10.0.1

61598

10091

6

4

172

FSA

23:33.005

PPTP

Fedora Linux

Created connection with pppd call pptpserver command. Server is 10.10.0.2.

Client created connection and then closed connection. Client closing connection did not immediately close the flow.

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

DUR

10.10.0.1

10.10.0.2

57722

1723

6

11

936

FSPA

23:39.877

94.742

10.10.0.2

10.10.0.1

1723

57722

6

6

528

FSPA

23:39.877

94.742

10.10.0.1

10.10.0.2

0

0

47

10

540

23:40.890

0.530

10.10.0.2

10.10.0.1

0

0

47

10

566

23:40.890

0.530

Windows 7 Enterprise

Used Network and Sharing Center to create a connection. Server is 10.10.0.2.

Client created connection and then closed connection. Client closing connection did not immediately close the flow.

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

DUR

10.10.0.1

10.10.0.2

61327

1723

6

10

824

FSPA

07:36.522

59.847

10.10.0.2

10.10.0.1

1723

61327

6

10

600

FSPA

07:36.522

59.847

10.10.0.1

10.10.0.2

0

0

47

53

5114

07:36.533

59.203

10.10.0.2

10.10.0.1

0

0

47

44

3277

07:36.533

59.203

DNS

Fedora Linux

Generated with ping command. Server is 10.10.0.2.

Client pinged google.com.

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

10.10.0.1

10.10.0.2

60275

53

17

1

56

02:43.290

10.10.0.1

10.10.0.1

53

60275

17

1

232

02:43.290

Windows 7 Enterprise

Generated with ping command. Client is 10.10.0.1.

Client pinged google.com.

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

10.10.0.1

173.194.121.3

63786

53

17

1

60

15:02.949

173.194.121.3

10.10.0.1

53

63786

17

1

276

15:02.949

HTTP

Fedora Linux

Accessed with cURL. Client is 10.10.0.1.

Client got www.cmu.edu.

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

10.10.0.1

128.2.42.52

47994

80

6

6

335

FSPA

18:37.558

128.2.42.52

10.10.0.1

80

47994

6

5

861

FSPA

18:37.558

Windows 7 Enterprise

Accessed with cURL. Client is 10.10.0.1.

Client got www.cmu.edu.

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

10.10.0.1

128.2.42.52

61953

80

6

5

287

FSPA

46:37.801

128.2.42.52

10.10.0.1

80

61953

6

5

869

FSPA

46:37.801

NTP

Fedora Linux

Client is 10.10.0.1.

Client automatically checked time. Note: Both client and server used port 123, instead of client using an ephemeral port.

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

10.10.0.1

216.229.4.69

123

123

17

1

76

14:24.996

216.229.4.69

10.10.0.1

123

123

17

1

76

14:24.996

Windows 7 Enterprise

Client is 10.10.0.1.

Client automatically checked time. Received unreachable message.

SIP

DIP

SPORT

DPORT

PROTOCOL

PACKETS

BYTES

FLAGS

STIME

10.10.0.1

208.75.89.4

60696

123

17

1

76

23:11.397

10.20.0.1

10.10.0.1

0

771

17

2

112

23:11.398

About the Author