Go with the flow

Kamal Rathaur
Digital Forensics, Incident Response, Breach Investigations, Threat Analysis and Research - GCFA, CEH
Nov. 13, 2015
Go with the flow
Go with the flow
Go with the flow
Go with the flow
Go with the flow
Go with the flow
Go with the flow
Go with the flow
Go with the flow
Go with the flow
Go with the flow
Go with the flow
Go with the flow
Go with the flow
Go with the flow
Go with the flow
1 of 16

Go with the flow

Nov. 13, 2015
Technology

Using Netflow Analysis for forensic investigations

Kamal Rathaur
Digital Forensics, Incident Response, Breach Investigations, Threat Analysis and Research - GCFA, CEH

Recommended

Delegation-based Authentication and Authorization for the IP-based IoTDelegation-based Authentication and Authorization for the IP-based IoT
Delegation-based Authentication and Authorization for the IP-based IoTJoon Young Park843 views22 slides
Poll mode driver integration into dpdkPoll mode driver integration into dpdk
Poll mode driver integration into dpdkVipin Varghese523 views3 slides
Lithe: Lightweight Secure CoAP for the Internet of ThingsLithe: Lightweight Secure CoAP for the Internet of Things
Lithe: Lightweight Secure CoAP for the Internet of ThingsJoon Young Park784 views23 slides
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesKernel TLV5.3K views33 slides
Mmap failure analysisMmap failure analysis
Mmap failure analysisVipin Varghese761 views8 slides
nextcomputing-packet-continuumnextcomputing-packet-continuum
nextcomputing-packet-continuumblabadini306 views7 slides

More Related Content

Slideshows for you

Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondAnne Nicolas4.4K views58 slides
Network based file carvingNetwork based file carving
Network based file carvingGTKlondike1.6K views12 slides
Dpdk – IoT packet analyzerDpdk – IoT packet analyzer
Dpdk – IoT packet analyzerVipin Varghese652 views11 slides
Comprehensive XDP Off‌load-handling the Edge CasesComprehensive XDP Off‌load-handling the Edge Cases
Comprehensive XDP Off‌load-handling the Edge CasesNetronome553 views18 slides
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Islam Azeddine Mennouchi4.2K views96 slides
LF_DPDK17_DPDK support for new hardware offloadsLF_DPDK17_DPDK support for new hardware offloads
LF_DPDK17_DPDK support for new hardware offloadsLF_DPDK453 views22 slides

Slideshows for you(20)

Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Anne Nicolas4.4K views
Network based file carvingNetwork based file carving
Network based file carving
GTKlondike1.6K views
Dpdk – IoT packet analyzerDpdk – IoT packet analyzer
Dpdk – IoT packet analyzer
Vipin Varghese652 views
Comprehensive XDP Off‌load-handling the Edge CasesComprehensive XDP Off‌load-handling the Edge Cases
Comprehensive XDP Off‌load-handling the Edge Cases
Netronome553 views
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013
Islam Azeddine Mennouchi4.2K views
LF_DPDK17_DPDK support for new hardware offloadsLF_DPDK17_DPDK support for new hardware offloads
LF_DPDK17_DPDK support for new hardware offloads
LF_DPDK453 views
Compiling P4 to XDP, IOVISOR Summit 2017Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017
Cheng-Chun William Tu740 views
Telco junho cost-effective approach for telco network analysis in 5_g_finalTelco junho cost-effective approach for telco network analysis in 5_g_final
Telco junho cost-effective approach for telco network analysis in 5_g_final
Junho Suh261 views
Group meeting: TaintPipe - Pipelined Symbolic Taint AnalysisGroup meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Yu-Hsin Hung179 views
P4, EPBF, and Linux TC OffloadP4, EPBF, and Linux TC Offload
P4, EPBF, and Linux TC Offload
Open-NFP5.3K views
Network Measurement with P4 and C on Netronome AgilioNetwork Measurement with P4 and C on Netronome Agilio
Network Measurement with P4 and C on Netronome Agilio
Open-NFP633 views
How Robinhood Built a Real-Time Anomaly Detection System to Monitor and Mitig...How Robinhood Built a Real-Time Anomaly Detection System to Monitor and Mitig...
How Robinhood Built a Real-Time Anomaly Detection System to Monitor and Mitig...
InfluxData2.1K views
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
IO Visor Project1.6K views
Apache Solr as a compressed, scalable, and high performance time series databaseApache Solr as a compressed, scalable, and high performance time series database
Apache Solr as a compressed, scalable, and high performance time series database
Florian Lautenschlager2K views
Kernel Recipes 2013 - Nftables, what motivations and what solutionsKernel Recipes 2013 - Nftables, what motivations and what solutions
Kernel Recipes 2013 - Nftables, what motivations and what solutions
Anne Nicolas12.3K views
OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...
OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...
NECST Lab @ Politecnico di Milano20 views
Debug generic processDebug generic process
Debug generic process
Vipin Varghese199 views
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf2.9K views
Monitoring and Alerting with InfluxDB 2.0 | Deniz Kusefoglu & Nate Isley | In...Monitoring and Alerting with InfluxDB 2.0 | Deniz Kusefoglu & Nate Isley | In...
Monitoring and Alerting with InfluxDB 2.0 | Deniz Kusefoglu & Nate Isley | In...
InfluxData613 views
Ceph Day Shanghai - On the Productization Practice of Ceph Ceph Day Shanghai - On the Productization Practice of Ceph
Ceph Day Shanghai - On the Productization Practice of Ceph
Ceph Community 181 views

Viewers also liked

Scalable Monitoring & AlertingScalable Monitoring & Alerting
Scalable Monitoring & AlertingFranklin Angulo2.7K views31 slides
Managing Tech Teams (Dev StackUp)Managing Tech Teams (Dev StackUp)
Managing Tech Teams (Dev StackUp)Franklin Angulo261 views28 slides
An Introduction to Rearview - Time Series Based MonitoringAn Introduction to Rearview - Time Series Based Monitoring
An Introduction to Rearview - Time Series Based MonitoringVictorOps1.6K views11 slides
GraphiteGraphite
GraphiteAdrian Moisey2.3K views29 slides
Stop pulling the plugStop pulling the plug
Stop pulling the plugKamal Rathaur756 views17 slides
OsintOsint
OsintKamal Rathaur2.1K views19 slides

Viewers also liked(7)

Scalable Monitoring & AlertingScalable Monitoring & Alerting
Scalable Monitoring & Alerting
Franklin Angulo2.7K views
Managing Tech Teams (Dev StackUp)Managing Tech Teams (Dev StackUp)
Managing Tech Teams (Dev StackUp)
Franklin Angulo261 views
An Introduction to Rearview - Time Series Based MonitoringAn Introduction to Rearview - Time Series Based Monitoring
An Introduction to Rearview - Time Series Based Monitoring
VictorOps1.6K views
GraphiteGraphite
Graphite
Adrian Moisey2.3K views
Stop pulling the plugStop pulling the plug
Stop pulling the plug
Kamal Rathaur756 views
OsintOsint
Osint
Kamal Rathaur2.1K views
Collecting metrics with Graphite and StatsDCollecting metrics with Graphite and StatsD
Collecting metrics with Graphite and StatsD
itnig11.4K views

Similar to Go with the flow

Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.2.7K views55 slides
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike15.6K views31 slides
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders8825.1K views58 slides
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Joel W. King1.7K views40 slides
Realtime Detection of DDOS attacks using Apache Spark and MLLibRealtime Detection of DDOS attacks using Apache Spark and MLLib
Realtime Detection of DDOS attacks using Apache Spark and MLLibRyan Bosshart2.9K views31 slides
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat DefenseCisco Canada3.3K views89 slides

Similar to Go with the flow(20)

Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
Lancope, Inc.2.7K views
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike15.6K views
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
chrissanders8825.1K views
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
Joel W. King1.7K views
Realtime Detection of DDOS attacks using Apache Spark and MLLibRealtime Detection of DDOS attacks using Apache Spark and MLLib
Realtime Detection of DDOS attacks using Apache Spark and MLLib
Ryan Bosshart2.9K views
NetFlow Monitoring for Cyber Threat DefenseNetFlow Monitoring for Cyber Threat Defense
NetFlow Monitoring for Cyber Threat Defense
Cisco Canada3.3K views
Logging : How much is too much? Network Security Monitoring Talk @ hasgeekLogging : How much is too much? Network Security Monitoring Talk @ hasgeek
Logging : How much is too much? Network Security Monitoring Talk @ hasgeek
vivekrajan1.1K views
Low cost multi-sensor IDS systemLow cost multi-sensor IDS system
Low cost multi-sensor IDS system
Robert Schrack2.3K views
Tim eberhard bajug3_talkTim eberhard bajug3_talk
Tim eberhard bajug3_talk
Tim Eberhard1.5K views
Orion NTA Customer TrainingOrion NTA Customer Training
Orion NTA Customer Training
SolarWinds1.2K views
Snabbflow: A Scalable IPFIX exporterSnabbflow: A Scalable IPFIX exporter
Snabbflow: A Scalable IPFIX exporter
Igalia27 views
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gle
Dug Song1.6K views
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu1.3K views
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC156 views
hakin9_6-2006_str22-33_snort_ENhakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_EN
Pierpaolo Palazzoli160 views
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
Kernel TLV4K views
FD.io Vector Packet Processing (VPP)FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)
Kirill Tsym8.2K views
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
Cengage Learning2K views
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redacted
Ryan Breed187 views
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
Iwan896291 view

Recently uploaded

AI and ML Series - Introduction to Generative AI and LLMs - Session 1AI and ML Series - Introduction to Generative AI and LLMs - Session 1
AI and ML Series - Introduction to Generative AI and LLMs - Session 1DianaGray10179 views38 slides
Sell&Buy.pdfSell&Buy.pdf
Sell&Buy.pdfDanielle9510955 views11 slides
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...DianaGray1048 views38 slides
Stanford AI Report 2023Stanford AI Report 2023
Stanford AI Report 2023Kapil Khandelwal (KK)19 views386 slides
Orbyfy Grid e-Services_vFx.pdfOrbyfy Grid e-Services_vFx.pdf
Orbyfy Grid e-Services_vFx.pdfOrbyfy19 views6 slides
NoSQL Database Migration Masterclass - Session 2: The Anatomy of a MigrationNoSQL Database Migration Masterclass - Session 2: The Anatomy of a Migration
NoSQL Database Migration Masterclass - Session 2: The Anatomy of a MigrationScyllaDB31 views25 slides

Recently uploaded(20)

AI and ML Series - Introduction to Generative AI and LLMs - Session 1AI and ML Series - Introduction to Generative AI and LLMs - Session 1
AI and ML Series - Introduction to Generative AI and LLMs - Session 1
DianaGray10179 views
Sell&Buy.pdfSell&Buy.pdf
Sell&Buy.pdf
Danielle9510955 views
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
DianaGray1048 views
Stanford AI Report 2023Stanford AI Report 2023
Stanford AI Report 2023
Kapil Khandelwal (KK)19 views
Orbyfy Grid e-Services_vFx.pdfOrbyfy Grid e-Services_vFx.pdf
Orbyfy Grid e-Services_vFx.pdf
Orbyfy19 views
NoSQL Database Migration Masterclass - Session 2: The Anatomy of a MigrationNoSQL Database Migration Masterclass - Session 2: The Anatomy of a Migration
NoSQL Database Migration Masterclass - Session 2: The Anatomy of a Migration
ScyllaDB31 views
Deploying CloudStack with CephDeploying CloudStack with Ceph
Deploying CloudStack with Ceph
ShapeBlue108 views
OpenFOAM benchmark for EPYC server: cavity mediumOpenFOAM benchmark for EPYC server: cavity medium
OpenFOAM benchmark for EPYC server: cavity medium
takuyayamamoto180031 views
GDSC_Info_Session_KITTiptur.pptxGDSC_Info_Session_KITTiptur.pptx
GDSC_Info_Session_KITTiptur.pptx
RadhikaNA38 views
GDSC23 SAC - Info Session GDSC.pptxGDSC23 SAC - Info Session GDSC.pptx
GDSC23 SAC - Info Session GDSC.pptx
SAC221 views
INASLA_AI and Landscape Architecture.pptxINASLA_AI and Landscape Architecture.pptx
INASLA_AI and Landscape Architecture.pptx
Jonathon Geels66 views
NoSQL Data Migration Masterclass - Session 1 Migration Strategies and ChallengesNoSQL Data Migration Masterclass - Session 1 Migration Strategies and Challenges
NoSQL Data Migration Masterclass - Session 1 Migration Strategies and Challenges
ScyllaDB53 views
NoSQL Database Migration Masterclass - Session 3: Migration LogisticsNoSQL Database Migration Masterclass - Session 3: Migration Logistics
NoSQL Database Migration Masterclass - Session 3: Migration Logistics
ScyllaDB27 views
FewShotExamples.pptxFewShotExamples.pptx
FewShotExamples.pptx
Alok Ranjan20 views
Daily Scrum, Sprint Review & Retrospective.pptxDaily Scrum, Sprint Review & Retrospective.pptx
Daily Scrum, Sprint Review & Retrospective.pptx
Md. Rakib Trofder90 views
A new era of Wi-Fi has arrivedA new era of Wi-Fi has arrived
A new era of Wi-Fi has arrived
Adtran67 views
DigitalWisers Onepager.pdfDigitalWisers Onepager.pdf
DigitalWisers Onepager.pdf
Mustafa Kuğu165 views
Workshop on IoT and Basic Home Automation_BAIUST.pptxWorkshop on IoT and Basic Home Automation_BAIUST.pptx
Workshop on IoT and Basic Home Automation_BAIUST.pptx
Redwan Ferdous27 views
Graph Neural Networks.pptxGraph Neural Networks.pptx
Graph Neural Networks.pptx
Kumar Iyer19 views
dvss.pptdvss.ppt
dvss.ppt
SaikrishnaCheruvu1354 views

Go with the flow

  1. @Rathaur_Kamal
  2.  Infosec Enthusiast  Incident Response/Digital Forensics Analyst  Speaker/Volunteer at Null and OWASP chapters  AM – IT Security (Just a position, for the records)   Travelling, Trekking, Infosec brainstorming  GCFA Certified, SANS Lethal Forensicator Award
  3.  A series of packets on a network that have common attributes  Just metadata – No contents  Much like a phone bill – You know, who called who but not what was said  Is not a replacement for full packet capture
  4.  Exporter – Uses UDP (Standard port 2055) for sending packets to Collectors  Collectors – Positioning is the key  Storage – Understand the requirements and the size of storage based on the need  Analysis Console – usually a thin client – browser based. Performance hungry
  5.  Identify the critical data  Understand the network diagram  Identify choke and critical nodes  Identify critical datacenters  Plan Netflow exporters and packet capture points  Confirm legal and regulatory compliance  Security teams may prefer to use their own Netflow server and storage solution
  6. nfcapd - netflow capture daemon nfdump - netflow dump nfprofile - netflow profiler nfreplay - netflow replay nfclean.pl - cleanup old data ft2nfdump - optional binary
  7.  A set of tools to collect and process netflow data  Supports netflow versions v1, v5, v7, v9 and IPFIX  Fully IPv6 compatible  Stores netflow data in time sliced files – rotates typically every 5 minutes i.e. 288 files per day in nfcapd.YYYYMmddhhmm format  Command line based tool compatible to tcpdump  Top N statistics for packets, bytes, IP addresses, ports… Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2005-08-30 06:59:52.338 0.001 UDP 36.249.80.226:3040 -> 92.98.219.116:1434 1 404 1
  8.  NfSen is a graphical web based front end for the Nfdump netflow tools  Graph specific profiles • Track hosts, ports etc. from live data • Profile hosts involved in incidents from history data  Analyze a specific time window  Web based  Automatic alerting  Flexible extensions using plugins
  9. Demo Time
  10.  Understand the netflow basics  Netflow Analysis with open source tools  Ideas for setting up test lab  Testing and Deployment in VM  Replicate to Production environment
  11. Thank You!