netflows at the university of chicago
play

Netflows at The University of Chicago E. Larry Lidz, - PowerPoint PPT Presentation

Oct 23, 2022 •263 likes •420 views

Netflows at The University of Chicago E. Larry Lidz, ellidz@uchicago.edu The University of Chicago A few notes to start This is how we use flows. There are other tools. Some are undoubtedly better. A brief intro to flows

  1. Netflows at The University of Chicago E. Larry Lidz, ellidz@uchicago.edu The University of Chicago

  2. A few notes to start… • This is how we use flows. • There are other tools. – Some are undoubtedly better.

  3. A brief intro to flows… • Log flows, not connections. – Harder to hide traffic – Sometimes direction of connection unclear. • Not an IDS, but can play one on TV. – No signature checking. – Logs unknown traffic, too. • Forensic Tool! – You get logs, even if you didn’t know there was a problem. – Can often get date, time, method of compromise. – Alaska story…

  4. Network layout

  5. What we watch • Net Flows – All gateway traffic – Remotes • Argus – Most, soon to be all, traffic through one of the core switches/routers.

  6. Flow-tools • Written by Mark Fulmer – http://www.splintered.net/sw/flow-tools/ • Capture flow exports from router • Stored in /var/log/flow/<router>/<file> on log server. – Keep 3 months worth, 840GB for flow+argus – Merge gateways to one location, kill duplicates.

  7. Flow-tools tools • flow-capture to capture flows. • flow-cat to cat a bunch of files together. • flow-merge to merge the gateways. • flow-stat to get statistics. • Occasionally use other programs. • demo of flow-cat/flow-stat:

  8. flow-extract • http://security.uchicago.edu/tools/net-forensics/ • Port of TAMU Netlogger’s Extract program to use flow files – shows fields in flows but not netlogs – more options with which to select – ICMP printed similarly to TCP/UDP • Allows for flexible selection of flows on command line with friendly awk-like syntax. – DNS resolution – Can be used as a script with #!

  9. Some flow-extract options • -b, output in binary. – Useful for piping into flow-stat, etc. • -n, don’t resolve IP or port names • -f, use as a script • -D, resolve IPs, but not port names. • -o, output to <file> • -z, compression level – similar to flow-cat.

  10. flow-extract selection criteria • net, srcnet, dstnet • host, srchost, dsthost, hp, srchp, dsthp • iface, srciface, dstiface • port, srcport, dstport, proto, octets, pkts • flag FIN|SYN|RST|PUSH|ACH|URG • flags safrpu/safrpu • date, time, since, before

  11. flow-scripts • check-scans/check-pingflood – flow-dscan does some of this, too… • flhosts, flports, combo-cx • connection reports • doflow.sh, scaneval.sh • check-scan/connrep output: • scaneval.sh demo:

  12. Argus • QoScient’s Argus: http://www.qoscient.com/argus/ • Uses promiscuous interface • Can export over network • Can log application data, too! – We log 64 bytes… mostly header info. • argus sends the traffic over the network, ra captures and views it. • demo of ra.

  13. Future Network

  14. New Design • Flow stuff stays about the same… • Argus at each core switch? – Could export flows, but it would negatively impact performance as MLS currently uses uni-directional flows • Connection reports moved to argus? • …?

  15. Questions? • Any questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Software Tool for Multi-Field Multi-Level NetFlows Anonymization

A Software Tool for Multi-Field Multi-Level NetFlows Anonymization

A Software Tool for Multi-Field Multi-Level NetFlows Anonymization &lt;http://scrub-netflows.sourceforge.net/&gt; William Yurcik Clay Woolam, Latifur Khan, Bhavani Thuraisingham University of Texas at Dallas The University of Texas at Dallas

304 views • 15 slides
CANINE A NetFlows Conversion/Anonymization Tool for Format Interoperability and Secure Sharing

CANINE A NetFlows Conversion/Anonymization Tool for Format Interoperability and Secure Sharing

CANINE A NetFlows Conversion/Anonymization Tool for Format Interoperability and Secure Sharing Katherine Luo*, Yifan Li, Adam Slagell, William Yurick SIFT Research Group National Center for Supercomputing Applications (NCSA) University of

508 views • 15 slides
VisFlowConnect-IP: A Link-Based Visualization of Netflows for Security Monitoring William Yurcik

VisFlowConnect-IP: A Link-Based Visualization of Netflows for Security Monitoring William Yurcik

VisFlowConnect-IP: A Link-Based Visualization of Netflows for Security Monitoring William Yurcik &lt;byurcik@ncsa.uiuc.edu &gt; National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign FIRST06

961 views • 58 slides
NVisionIP: An Animated State Analysis Tool for Visualizing NetFlows Ratna Bearavolu, Kiran

NVisionIP: An Animated State Analysis Tool for Visualizing NetFlows Ratna Bearavolu, Kiran

NVisionIP: An Animated State Analysis Tool for Visualizing NetFlows Ratna Bearavolu, Kiran Lakkaraju, William Yurcik National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign National Center for

248 views • 14 slides
Bhaskar DasGupta Department of Computer Science University of Illinois at Chicago Chicago, IL

Bhaskar DasGupta Department of Computer Science University of Illinois at Chicago Chicago, IL

Node Expansions and Cuts in Gromov-hyperbolic Graphs Bhaskar DasGupta Department of Computer Science University of Illinois at Chicago Chicago, IL 60607, USA bdasgup@uic.edu March 28, 2016 Joint work with Marek Karpinski (University

1.12k views • 82 slides
Anna Mukhortova The University of Chicago VIII RASA Conference Chicago November 5, 2017

Anna Mukhortova The University of Chicago VIII RASA Conference Chicago November 5, 2017

Anna Mukhortova The University of Chicago VIII RASA Conference Chicago November 5, 2017 State-of-the-art fabrication facility for academic research and industrial R&amp;D Eckhardt Research Center at the University of Chicago A quantum dot

407 views • 15 slides
University of Chicago South Side of Chicago Connor Williams, LCSW, Behavioral Health Coordinator

University of Chicago South Side of Chicago Connor Williams, LCSW, Behavioral Health Coordinator

University of Chicago South Side of Chicago Connor Williams, LCSW, Behavioral Health Coordinator Karen Lee, MS, Data Manager University of Chicago MS/PSS Quality Improvement Presentation: MS Documentation Need to improve the documentation

286 views • 5 slides
University of Chicago South Side of Chicago Elaine Seaton, MSW, Rose Petals Co-Lead Humera

University of Chicago South Side of Chicago Elaine Seaton, MSW, Rose Petals Co-Lead Humera

University of Chicago South Side of Chicago Elaine Seaton, MSW, Rose Petals Co-Lead Humera Sayeed, MSW, Rose Petals Co-Lead Erie Crawford, MSW, Manager of Psychosocial Services Karen Lee, MS, Data Manager University of Chicago MS/PSS Quality

335 views • 5 slides
Ken Shiozaki RIKEN Corroborators: Hassan Shapourian University of Chicago Shinsei Ryu

Ken Shiozaki RIKEN Corroborators: Hassan Shapourian University of Chicago Shinsei Ryu

Fermionic partial transpose and non-local order parameters for SPT phases of fermions Ken Shiozaki RIKEN Corroborators: Hassan Shapourian University of Chicago Shinsei Ryu University of Chicago Kiyonori Gomi Shinshu University Refs:

522 views • 49 slides
Dynamic Analysis at CBO The University of Chicago Booth School of Business Chicago, Illinois

Dynamic Analysis at CBO The University of Chicago Booth School of Business Chicago, Illinois

Congressional Budget Office March 7, 2016 Dynamic Analysis at CBO The University of Chicago Booth School of Business Chicago, Illinois Wendy Edelberg Associate Director for Economic Analysis For additional information, see Congressional

726 views • 40 slides
Automatic Colorization Gustav Larsson TTI Chicago / University of Chicago Joint work with

Automatic Colorization Gustav Larsson TTI Chicago / University of Chicago Joint work with

Automatic Colorization Gustav Larsson TTI Chicago / University of Chicago Joint work with Michael Maire and Greg Shakhnarovich NVIDIA @ SIGGRAPH 2016 Colorization Let us first define colorization Colorization Definition 1: The inverse

693 views • 50 slides
Chicago Biomedical Consortium (CBC) July 19, 2012 UIC UIC Overview Started in 2006 The

Chicago Biomedical Consortium (CBC) July 19, 2012 UIC UIC Overview Started in 2006 The

Chicago Biomedical Consortium (CBC) July 19, 2012 UIC UIC Overview Started in 2006 The CBC s mission is to stimulate collaboration between the University of Illinois at Chicago, University of Chicago, and Northwestern University

472 views • 10 slides
: gr ( ) E XAMPLE (P. H ALL , E. W ITT , W. M AGNUS ) Let F n = x x 1 , . . . , x n y

: gr ( ) E XAMPLE (P. H ALL , E. W ITT , W. M AGNUS ) Let F n = x x 1 , . . . , x n y

R ESONANCE , REPRESENTATIONS , AND THE J OHNSON FILTRATION Alex Suciu Northeastern University, visiting the University of Chicago Geometry/Topology Seminar University of Chicago May 8, 2015 A LEX S UCIU (N ORTHEASTERN ) R ESONANCE ,

760 views • 31 slides
using Sector/Sphere Yunhong Gu , Li Lu : University of Illinois at Chicago Robert Grossman :

using Sector/Sphere Yunhong Gu , Li Lu : University of Illinois at Chicago Robert Grossman :

Processing Massive Sized Graphs using Sector/Sphere Yunhong Gu , Li Lu : University of Illinois at Chicago Robert Grossman : University of Chicago and Open Data Group Andy Yoo : Lawrence Livermore National Laboratory Background Very large

460 views • 16 slides
ICHEP 2016 Chicago All the numbers shown here are NOT final Young-Kee Kim The University of

ICHEP 2016 Chicago All the numbers shown here are NOT final Young-Kee Kim The University of

ICHEP 2016 Chicago All the numbers shown here are NOT final Young-Kee Kim The University of Chicago August 7, 2016 1 Conference Location: Sheraton Hotel The Chicago shoreline of Lake Michigan Sheraton Hotel Parks Concert Beach halls

862 views • 19 slides
UNIVERSITY OF ILLINOIS AT CHICAGO Board of Trustees Retreat July 20, 2011 1 UNIVERSITY OF

UNIVERSITY OF ILLINOIS AT CHICAGO Board of Trustees Retreat July 20, 2011 1 UNIVERSITY OF

UNIVERSITY OF ILLINOIS AT CHICAGO Board of Trustees Retreat July 20, 2011 1 UNIVERSITY OF ILLINOIS AT CHICAGO You may recognize some of our brands 2 UIC Strategic Plan Goal als: 1. UIC will offer an outstanding education at all levels to

457 views • 21 slides
Flow Networks Carola Wenk Slides adapted from slides by Charles Leiserson Max flow and min cut

Flow Networks Carola Wenk Slides adapted from slides by Charles Leiserson Max flow and min cut

CMPS 6610/4610 Fall 2016 Flow Networks Carola Wenk Slides adapted from slides by Charles Leiserson Max flow and min cut Fundamental problems in combinatorial optimization Duality between max flow and min cut Many applications:

752 views • 40 slides
Platform-Independent Debugging of Physical Interaction and Signal Flow Models Mehdi Dadfarnia 1

Platform-Independent Debugging of Physical Interaction and Signal Flow Models Mehdi Dadfarnia 1

Intro Background Debugging Methods Conclusions &amp; Future Work References &amp; Backup Slides Platform-Independent Debugging of Physical Interaction and Signal Flow Models Mehdi Dadfarnia 1 Raphael Barbau 2 1 National Institute of Standards

590 views • 40 slides
Coflow Recent Advances and Whats Next? Mosharaf Chowdhury University of Michigan Rack-Scale

Coflow Recent Advances and Whats Next? Mosharaf Chowdhury University of Michigan Rack-Scale

Coflow Recent Advances and Whats Next? Mosharaf Chowdhury University of Michigan Rack-Scale Datacenter-Scale Geo-Distributed Computing Computing Computing Coflow Networking Open Source Apache Spark Open Source Cluster File System

1.23k views • 29 slides
Normalizing Flow Models Stefano Ermon, Aditya Grover Stanford University Lecture 8 Stefano

Normalizing Flow Models Stefano Ermon, Aditya Grover Stanford University Lecture 8 Stefano

Normalizing Flow Models Stefano Ermon, Aditya Grover Stanford University Lecture 8 Stefano Ermon, Aditya Grover (AI Lab) Deep Generative Models Lecture 8 1 / 20 Recap of normalizing flow models So far Transform simple to complex

461 views • 20 slides
The P rice of Anarchy is I ndependent of t he Net work Topology Tim Roughgarden Cornell

The P rice of Anarchy is I ndependent of t he Net work Topology Tim Roughgarden Cornell

The P rice of Anarchy is I ndependent of t he Net work Topology Tim Roughgarden Cornell Universit y 1 Traf f ic in Congest ed Net works The Model: A dir ect ed gr aph G = (V,E) k source-dest inat ion pair s (s 1 ,t 1 ), ,

364 views • 17 slides
Evaluating Bufferless Flow Control for On-Chip Networks George Michelogiannakis, Daniel Sanchez,

Evaluating Bufferless Flow Control for On-Chip Networks George Michelogiannakis, Daniel Sanchez,

Evaluating Bufferless Flow Control for On-Chip Networks George Michelogiannakis, Daniel Sanchez, William J. Dally, Christos Kozyrakis Stanford University In a nutshell Many researchers report high buffer costs. Motivates

249 views • 22 slides
Information Flow and Decision-Making in Advanced Vehicle Development Presented by: Presented

Information Flow and Decision-Making in Advanced Vehicle Development Presented by: Presented

Information Flow and Decision-Making in Advanced Vehicle Development Presented by: Presented by: Joseph A. Donndelinger General Motors Research &amp; Development Center GMs Vehicle Development Process GMs Vehicle Development Process

517 views • 35 slides
Mass quenching, cold flows and gas inflow into galaxies Yuval Birnboim The Hebrew University of

Mass quenching, cold flows and gas inflow into galaxies Yuval Birnboim The Hebrew University of

Mass quenching, cold flows and gas inflow into galaxies Yuval Birnboim The Hebrew University of Jerusalem, Israel Outline The stability of virial shocks (recap of 2003 results) Application for spherical and filamentary infall How

466 views • 32 slides

More recommend