Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Go with the flow

477 views

Published on

Using Netflow Analysis for forensic investigations

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Go with the flow

  1. 1. @Rathaur_Kamal
  2. 2.  Infosec Enthusiast  Incident Response/Digital Forensics Analyst  Speaker/Volunteer at Null and OWASP chapters  AM – IT Security (Just a position, for the records)   Travelling, Trekking, Infosec brainstorming  GCFA Certified, SANS Lethal Forensicator Award
  3. 3.  A series of packets on a network that have common attributes  Just metadata – No contents  Much like a phone bill – You know, who called who but not what was said  Is not a replacement for full packet capture
  4. 4.  Exporter – Uses UDP (Standard port 2055) for sending packets to Collectors  Collectors – Positioning is the key  Storage – Understand the requirements and the size of storage based on the need  Analysis Console – usually a thin client – browser based. Performance hungry
  5. 5.  Identify the critical data  Understand the network diagram  Identify choke and critical nodes  Identify critical datacenters  Plan Netflow exporters and packet capture points  Confirm legal and regulatory compliance  Security teams may prefer to use their own Netflow server and storage solution
  6. 6. nfcapd - netflow capture daemon nfdump - netflow dump nfprofile - netflow profiler nfreplay - netflow replay nfclean.pl - cleanup old data ft2nfdump - optional binary
  7. 7.  A set of tools to collect and process netflow data  Supports netflow versions v1, v5, v7, v9 and IPFIX  Fully IPv6 compatible  Stores netflow data in time sliced files – rotates typically every 5 minutes i.e. 288 files per day in nfcapd.YYYYMmddhhmm format  Command line based tool compatible to tcpdump  Top N statistics for packets, bytes, IP addresses, ports… Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2005-08-30 06:59:52.338 0.001 UDP 36.249.80.226:3040 -> 92.98.219.116:1434 1 404 1
  8. 8.  NfSen is a graphical web based front end for the Nfdump netflow tools  Graph specific profiles • Track hosts, ports etc. from live data • Profile hosts involved in incidents from history data  Analyze a specific time window  Web based  Automatic alerting  Flexible extensions using plugins
  9. 9. Demo Time
  10. 10.  Understand the netflow basics  Netflow Analysis with open source tools  Ideas for setting up test lab  Testing and Deployment in VM  Replicate to Production environment
  11. 11. Thank You!

×