LANDER:NCCDC logs-20170413 From Predict README version: 8423, last modified: 2018-02-13. This file describes the trace dataset "NCCDC_logs-20170413" provided by the LANDER project. Contents • 1 LANDER Metadata • 2 Dataset Contents • 3 Dataset Generation • 3.1 Background • 3.2 Setup • 4 Citation • 5 Results Using This Dataset • 6 User Annotations LANDER Metadata ┌───────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐ │ dataSetName │ NCCDC_logs-20170413 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ status │ usc-web-and-predict │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ shortDesc │ 2017 NC Cyber Defense Competition │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ longDesc │ These log files are packet captures from the 2017 National Collegiate Cyber │ │ │ Defense Competition (nccdc.org). CCDC is a multi-day competition that specifically │ │ │ focuses on the operational aspects of managing and protecting an existing │ │ │ commercial" network infrastructure. Teams of undergraduate/graduate students are │ │ │ provided with a fully functional (but insecure) small business network they must │ │ │ secure; maintain; and defend against a live Red Team.Teams must also respond to │ │ │ business tasks called "injects" throughout the competition. │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ datasetClass │ Quasi-Restricted │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ commercialAllowed │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ requestReviewRequired │ true │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ productReviewRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ ongoingMeasurement │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ submissionMethod │ Upload │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartDate │ 2017-04-13 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndDate │ 2017-04-15 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ collectionEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartDate │ 2018-03-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityStartTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndDate │ 2030-01-01 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ availabilityEndTime │ 00:00:00 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ anonymization │ none │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ archivingAllowed │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ keywords │ category:synthetically-generated-data, subcategory:experimental-data, synthetic │ │ │ data, nccdc │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ format │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ access │ https │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ hostName │ USC-LANDER │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ providerName │ USC │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingId │ │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ groupingSummaryFlag │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ retrievalInstructions │ download │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ byteSize │ 802627256320 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ expirationDays │ 14 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ uncompressedSize │ 1084482809862 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ impactDoi │ 10.23721/115/1364431 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ useAgreement │ dua-ni-160816 │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ irbRequired │ false │ ├───────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤ │ privateAccessInstructions │ See http://www.isi.edu/ant/traces/index.html#getting_datasets for information on │ │ │ obtaining this dataset. │ │ │ See │ └───────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘ Dataset Contents NCCDC_logs-20170413.README.txt     copy of this README dayone/     dayone.NNN.pcap.xz sequentially numbered pcap traces from the first day of competition     .sha1sum SHA-1 checksum daytwo/     daytwo.NNN.pcap.xz sequentially numbered pcap traces from the second day of competition     .sha1sum SHA-1 checksum The file ".sha1sum" contains SHA1 checksums of individual compressed files. The integrity of the distribution thus can be checked by independently calculating SHA1 sums of files and comparing them with those listed in the file. If you have the sha1sum utility installed on your system, you can do that by executing: sha1sum --check .sha1sum This has to be done before files are uncompressed. Dataset Generation Background These packet captures were obtained from the 2017 National Collegiate Cyber Defense Competition (NCCDC) held om April in San Antonio, TX (http://www.nccdc.org). The NCCDC is the National Championship event for the Collegiate Cyber Defense Competition (CCDC) program. CCDC is the first competition system that focuses on the operational aspect of managing and protecting an existing commercial network infrastructure. CCDC allows teams of undergraduate and graduate students at universities across the United States to exercise their academic and technical education and compete in a business oriented, defensive information assurance competition. CCDC is a tiered competition with qualifying and regional events leading to a national championship. CCDC competitions ask student teams to assume administrative and protective duties for an existing commercial network typically a small company with 50+ users, 10 to 12 servers, and common Internet services such as a web server, mail server, and an e-commerce site. Each team begins the competition with an identical set of hardware and software and is scored on their ability to detect and respond to outside threats, maintain availability of existing services, respond to business requests such as the creation of a new e-commerce site, and balance security best practices against business needs. The competition is scored based on several factors including availability of services, response to business tasks, and defense of the network against attack. A Red Team provides the real-world, external threat all Internet based services face and allows the teams to match their defensive skills against live opponents. Setup The NCCDC uses a star topology where each competing team and each major group (Red Team, Orange Team, White Team, etc.) are connected to a core switch. These logs were captured from the SPAN port on that core switch. As there was over 1.1 TB of captured traffic, the packet captures are serialized into 1 GB files and divided between day one and day two of the competition. Packet captures were accomplished using n2disk (http://www.ntop.org/products/traffic-recording-replay/n2disk/). These packet captures contain traffic from automated scoring systems, traffic generators, live users, a live Red Team, and the competitors (such as Internet traffic from the teams). Internet traffic from the teams was routed through a Squid proxy located at 10.120.0.200 on port 8080. There will be exploit and system compromise traffic in these logs as well as persistent connections from compromised systems. For more information on the NCCDC please visit nccdc.org. The 2017 NCCDC had 10 competing teams, Teams 1 through 10, which were tasked with operating and securing assets on the following subnets: Team 1 10.10.10.0, 172.16.10.0, 172.20.10.0, and 172.22.10.0 Team 2 10.20.20.0, 172.16.20.0, 172.20.20.0, and 172.22.20.0 Team 3 10.30.30.0, 172.16.30.0, 172.20.30.0, and 172.22.30.0 Team 4 10.40.40.0, 172.16.40.0, 172.20.40.0, and 172.22.40.0 Team 5 10.50.50.0, 172.16.50.0, 172.20.50.0, and 172.22.50.0 Team 6 10.60.60.0, 172.16.60.0, 172.20.60.0, and 172.22.60.0 Team 7 10.70.70.0, 172.16.70.0, 172.20.70.0, and 172.22.70.0 Team 8 10.80.80.0, 172.16.80.0, 172.20.80.0, and 172.22.80.0 Team 9 10.90.90.0, 172.16.90.0, 172.20.90.0, and 172.22.90.0 Team 10 10.100.100.0, 172.16.100.0, 172.20.100.0, and 172.22.100.0 The subnet mask for each network was 255.255.255.0 with the .1 address of each subnet serving as the gateway. The 2017 NCCDC scenario was a comic book and collectible retailer. Each team had a fully functional ecommerce site, primary DNS, Active Directory, static website, Human Resources system, inventory system, help desk ticketing system, SMTP/POP3 mail services, and an FTP server along with multiple client workstations. Each team also had multiple point of sale terminals with bar code scanners and backend servers running an opensource point of sale/inventory system. On the "10" nets, each team was provided with a "core" network consisting of 7 servers (running a mix of BSD, Fedora, Windows Server 2008, Windows Server 2003, ESXi 6.0, Suse, and Ubuntu), 6 workstations (running a mix of FreeBSD, Windows 10, Windows XP, and Windows 7), 1 Cisco VoIP phone, 1 Juniper EX4200, and 1 Palo Alto PA-3050. On the "172" networks, each team was provided with three "remote" networks simulating remote retail locations. A "large" remote retail location was hosted on the 172.16.X.0 network and consisted of 7 virtual machines running Windows 7, Windows 10, Windows 2003, Solaris X86, Debian, and OpenBravo. A retail outlet location was located on the 172.20.X.X and 172.22.X.X networks with servers and clients running Windows 7. Teams were required to have the following core services available to any IP address at all times during the competition: WWW: HTTP service on 172.16.X.210 HRM: HTTP service on 10.X.X.201 DNS: DNS service on 10.X.X.5 FTP: FTP service on 172.16.X.205 POP3: POP3 service on 10.X.X.10 SMTP: SMTP service on 10.X.X.10 HELP_DESK: HTTP service on 172.16.X.215 ECOM: HTTP service on 10.X.X.15 SSH1: SSH service on 10.X.X.20 SSH2: SSH service on 10.X.X.201 SSH3: SSH service on 10.X.X.202 SSH4: SSH service on 172.16.X.210 To support the point of sale application, teams were required to allow connections to SMB services running on 10.X.X.204,172.16.X.202, 172.20.X.204 from specific scoring-related subnets 10.160.169.0/24, 10.160.201.0/24 and 10.150.0.1/16. Citation If you use this trace to conduct additional research, please cite it as: NCCDC Logs, IMPACT ID: USC-LANDER/NCCDC_logs-20170413/rev8423 . Traces taken 2017-04-13 to 2017-04-25. Provided by the Center for Infrastructure Assurance and Security (UTSA/CIAS) and hosted by the USC/LANDER project (http://www.isi.edu/ant/lander). Results Using This Dataset No results yet. User Annotations Currently no annotations. Categories: • LANDER • LANDER:Datasets • LANDER:Datasets:PCH • LANDER:Datasets:NCCDCLogs • Datasets