netflow
play

Netflow Malicious activities detection Cedric Foll @follc Goal - PowerPoint PPT Presentation

Mar 04, 2024 •543 likes •855 views

Netflow Malicious activities detection Cedric Foll @follc Goal Being able to detect (most of) malicious activities without having to read logs Logs are boring, reading them takes a lot of time Graphic visualisation is more effective, fast

  1. Netflow Malicious activities detection Cedric Foll @follc

  2. Goal Being able to detect (most of) malicious activities without having to read logs Logs are boring, reading them takes a lot of time Graphic visualisation is more effective, fast and fun Being able to detect some other activities (tor, worms, slow scan, tunnel ...) by scripts

  3. Netflow/IPFIX/sFlow NetFlow At first a Cisco technology on routers IPFIX IETF standard (RFC5101, RFC5102) IPFIX = NetFlow v10 sFlow Very similar to NetFlow (softwares who collect/analyse are the same) Mostly implemented on switches

  4. How it works A flow is a set of packets with common characteristics within a given time frame and a given direction: Ingress interface, L3 information (src/dst IP), L4 information (tcp/udp w src/dst ports, icmp, esp, ...) Start time, duration, number of packets and bytes A session (for example a HTTP file download) will produce two flows (inbound + outbound)

  5. How it works The cache contains 64k entries (default) A flow expires: After 15 seconds of inactivity (default) After 30 minutes of activity (default) When the RST or FIN flag is set If the cache is full

  6. How it works Routers/Switches send flows to collector (2055/udp) Work with most of router/switch vendors (NetFlow or sFlow), even with OpenvSwitch or VMware vSphere On Linux routers there is an iptables module ipt-netflow (I haven't tested it). Many open source collectors are available We'll focus on nfdump/nfsen

  7. Nfdump/Nfsen Nfdump Set of command line tools to collect (nfcapd), to search into flow (nfdump), and few other tools (replay flows for example) Nfsen Web based graphic representation of flows Graphs are made using filters (something like pcap ones) Graph activities by port, host, networks,...

  8. Nfdump/Nfsen The following examples are based on my university network (Lille) On the Wan Router 10 GB of flow data saved each month

  9. Some examples

  10. NFSen Eduroam wireless users (students, staff, guests)

  11. Few servers

  12. Graph by ports

  13. Bytes

  14. Packets

  15. Flows

  16. TCP Flows

  17. Analysis

  18. hping?

  19. Misconfiguration Open recursive DNS

  20. nmap /24

  21. nmap /24

  22. email account used to send spam

  23. email account used to send spam

  24. Bittorents (uTB)

  25. Most scanned ports

  26. Horizontal scan

  27. Malicious activities detection by command line

  28. Command line search Tunnels Very long flows with few traffic -> HTTP/HTTPS Tunnel Big amount on data on UDP/53 -> DNS Tunnel SSH Tunnel is harder to detect... Malware or Tor traffic Use public list of IP addresses of CC / Tor Node

  29. http://rules.emergingthreats.net/blockrules/emerging-tor-BLOCK.rules Detecting Tor use

  30. Questions? Cedric Foll / @follc Network & System architect Lille 3 Co-Editor in chief of french security mag MISC

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents Netflow What it is and how it works Uses and Applications Vendor Configurations/Implementation Cisco and Juniper NetFlow tools

1.24k views • 62 slides
Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A What t is NetFlow? Network protocol originally developed by Cisco

560 views • 21 slides
Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska, J. Novotn, {piskac|novotny}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

479 views • 26 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org> NetFlow Traffic Monitoring Cisco NetFlow is a commercial standard for network monitoring and accounting Many companies (e.g. Cisco, Juniper,

430 views • 14 slides
Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T. Plesnk, M. Truneka, V. Krmek {celeda|vykopal|plesnik|trunecka|vojtec}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network

1.19k views • 36 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore,

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore,

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore, George Varghese University of California, San Diego IETF60 Aug 4, 2004 IPFIX WG UCSD CSE Disclaimers "NetFlow" used

510 views • 26 slides
Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly Feagans | Sales Engineering September 2017 | Washington, DC Objective OBJECTIVE Learn how to use NetFlow with the Splunk Stream Forwarder for

444 views • 20 slides
Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

A Performance Benchmark for NetFlow Data Analysis on Distributed Stream Processing Systems NOMS 2016 Wednesday 27 th April, 2016 Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring and Analysis

606 views • 23 slides
Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific

Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific

Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific Northwest National Laboratory FloCon 2016 Outline Introduction NetFlow Windows Event Log data Remote Desktop Protocol (RDP) sessions Approach

510 views • 32 slides
Tranalyzer Netflow extension It's the network go fix it! 2 Features

Tranalyzer Netflow extension It's the network go fix it! 2 Features

Tranalyzer Netflow extension It's the network go fix it! 2 Features Command-line based GUI: Traviz Extendable by plugins Fast and simple Practitioners: Anomaly and security related flags Researchers: Full

395 views • 11 slides
Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007, New Delhi Agenda Agenda bashing Do you want to see the labs, or want to discuss issues Netflow What it is and how it works

1.1k views • 91 slides
NetFlow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0

NetFlow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0

Advanced Registry Operations Curriculum NetFlow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) as part of the ICANN, ISOC and NSRC

1.04k views • 63 slides
On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate Professor at UPC BarcelonaTech (pbarlet@ac.upc.edu) Joint work with: Valentn Carela-Espaol, Tomasz Bujlow and Josep Sol-Pareta This project

544 views • 26 slides
Thai Oil Public Company Limited 1 Thai Oil Public Company Limited Presentation to Investors

Thai Oil Public Company Limited 1 Thai Oil Public Company Limited Presentation to Investors

Thai Oil Public Company Limited 1 Thai Oil Public Company Limited Presentation to Investors Presentation to Investors Thai Corporate Day Thai Corporate Day Arranged by ABN AMRO Bank Arranged by ABN AMRO Bank 20-23 March 2006 20-23 March

650 views • 38 slides
The memory of a program Source-code is compiled into linkable object modules Paging and

The memory of a program Source-code is compiled into linkable object modules Paging and

The memory of a program Source-code is compiled into linkable object modules Paging and Virtual Memory Memory addresses given as relative offsets Libraries contain object modules Object modules are linked together into a Operating

459 views • 6 slides
Psychotherapy and Nonpharmacologic Treatment Modalities, Risk Factors for Psychiatric Illness and

Psychotherapy and Nonpharmacologic Treatment Modalities, Risk Factors for Psychiatric Illness and

First Annual Bay Area Maternal Mental Health Conference: Psychotherapy and Nonpharmacologic Treatment Modalities, Risk Factors for Psychiatric Illness and The Difficult Patient Katherine E. Williams, M.D. Director, Womens Wellness

509 views • 48 slides
KSWC Space Weather Mission & Future Plan Jangsuk Choi (KSWC) IPT-SWeISS-1, Geneva, 21-23

KSWC Space Weather Mission & Future Plan Jangsuk Choi (KSWC) IPT-SWeISS-1, Geneva, 21-23

We need IPT-SWeISS Logo !! KSWC Space Weather Mission & Future Plan Jangsuk Choi (KSWC) IPT-SWeISS-1, Geneva, 21-23 June 2017 KSWC Space Weather Mission Products Customers Observation Ionosonde (x2) & TEC (x5) Magnetometer

250 views • 4 slides
http://socialwork.sdsu.edu/fie http://socialwork.sdsu.edu/field/student-forms Review

http://socialwork.sdsu.edu/fie http://socialwork.sdsu.edu/field/student-forms Review

2/3/2017 Overview for Planning Foundation Year Announcements Field Placement SW 650 Fall 2017 Who needs to be here! Three and Four Year Students MSW I Placement Planning Orientation Sign-In Please! (Students in 3year or 4 Year MSW

280 views • 4 slides
nanotechnology Rachel Horta Arduin Natalia Neto Pereira Cerize Claudia Echevengua Teixeira IPT

nanotechnology Rachel Horta Arduin Natalia Neto Pereira Cerize Claudia Echevengua Teixeira IPT

Brazilian scenario in sustainable nanotechnology Rachel Horta Arduin Natalia Neto Pereira Cerize Claudia Echevengua Teixeira IPT Institute for Technological Research One of Brazils largest research institutes. Eleven technology centers

407 views • 17 slides
12 December 2018 YOUR PARTNER IN GROUND ENGINEERING Extraordinary General Meeting 2018

12 December 2018 YOUR PARTNER IN GROUND ENGINEERING Extraordinary General Meeting 2018

CSC Holdings Limited Extraordinary General Meeting 12 December 2018 YOUR PARTNER IN GROUND ENGINEERING Extraordinary General Meeting 2018 Introduction Proposed Adoption of General Mandate for Interested Persons Transactions (IPT)

92 views • 7 slides
Using Trusted Execution Environments in Two-Factor Authentication Roland van Rijswijk-Deij M.Sc.

Using Trusted Execution Environments in Two-Factor Authentication Roland van Rijswijk-Deij M.Sc.

Introduction Trusted Execution and Two-Factor Authentication User Interaction Discussion Conclusions and Future Work Using Trusted Execution Environments in Two-Factor Authentication Roland van Rijswijk-Deij M.Sc. rijswijk@cs.ru.nl

299 views • 14 slides

More recommend