The National Security Agency permitted both the recording and release of the following datasets.
In an attempt to provide users of our dataset a means to correlate IP addresses found in the PCAP files with the IP addresses to hosts on the internal USMA network, we are including a pdf file of the planning document used just prior to the execution of CDX 2009 (NOTE: USMA utilized network address translation). Keep in mind this was a planning document. Changes may have occurred to the USMA network that were not annotated on this document.
Data Capture from National Security Agency (NSA)
** Note - The exercise directive had the service academies change the clocks forward to Nov-08 2011 on the first day of the exercise. All timestamps in the log files reflect the date change. The actually time on the clocks remained the same.
Snort Intrusion Detection Log/strong: from 0700-Nov-08 to 1600-Nov-11 (Entire Exercise)
Domain Name Service Logs: from 0700-Nov-08 to 1600-Nov-11 (Entire Exercise)
Web Server Logs: 24-Hour Logs from 1600-Nov-10 to 1600-Nov-11 (Final Day of Exercise)
Our personal favorite:
Nov 11 09:36:55 www logger: 10.2.27.218 - -[11/Nov/2011:09:36:55 -0500]
HTTP/1.0" 302 261
Log Server Aggregate Log: from 0700-Nov-11 to 1600-Nov-11 (Final Day of Exercise)