New SiLK Analysis Suite Release Available for Download
June 25, 2018 • Article
June 25, 2018—The SEI’s CERT Division has released a new major version (3.17.0) of the System for Internet-Level Knowledge (SiLK) traffic analysis suite. SiLK is a collection of tools designed to facilitate security analysis of large networks. The SiLK tool suite supports the efficient collection, storage, and analysis of network flow data, enabling network security analysts to rapidly query large historical traffic data sets. SiLK is capable of analyzing traffic on the backbone or border of a large, distributed enterprise or mid-sized Internet service provider.
“This release addresses a number of software fixes and compatibility issues,” noted Tony Cebzanov, software engineer on the CERT Security Automation Team. “It also provides analysts a number of new capabilities, several of which were requested by SiLK users.”
Highlights of the new release include the following:
- New analysis options. The rwaggbagtool command now supports filtering rows from an aggregate bag file when a field’s value is below or above a designated value or when an IP address field is absent or present in an IPset file. This capability allows analysts to examine flow data in new ways. For instance, analysts can examine which IP address their networks are getting the most traffic from using any flow field as the key. The feature also supports set operations.
- Compatible country codes. The rwgeoip2ccmap tool now supports MaxMind’s GeoIP2 and GeoLite2 formats. The CSV versions of these formats are included in SiLK. This change aligns SiLK with current country code standards.
- Improved timestamp fidelity. The rwuniq and rwstats tools now support millisecond timestamps when a fractional time is specified with the --bin-time switch. This feature enables analysts to aggregate results by fractions of a second.
- Default IPv4 format. When the rwsetcat tool prints an IPset containing both IPv4 and IPv6 addresses, IPv4 addresses are no longer prefixed with "::ffff:" by default. However, the analyst can still view a mix of IPv6 and IPv6-mapped addresses if preferred. The change offers more flexibility in visualizing the data.
To learn more about the SiLK analysis suite, to download the latest version, and to learn about other useful tools produced by CERT, visit the CERT Network Situational Awareness Tools website.
SiLK tools are also available on the CERT LiFTeR website, where the tools are available for Fedora 23 through 28, Redhat Enterprise Linux, and CentOS releases 6 and 7.