NfSen and NFDUMP 16th TF-CSIRT Meeting Sept 15th 2005, Lisbon Peter Haag
|
|
- Ira Buddy Sparks
- 6 years ago
- Views:
Transcription
1 NfSen and NFDUMP 16th TF-CSIRT Meeting Sept 15th 2005, Lisbon Peter Haag 2005 SWITCH NfSen/nfdump What I am going to present: Review: What are NfSen and nfdump. The Tools in Action. Plugins. Outlook - what s next SWITCH 2
2 NfSen/nfrdump What is NetFlow? NetFlow is a traffic monitoring technology developed by Cisco Networks. Flowa are unidirectional and contain connection related data such as: Source and destination IP address. Source and destination port. Source and destination AS. Level3 protocol, ToS byte, TCP flags. Logical input and output interfaces. Bytes and packet counters SWITCH 3 NfSen/nfdump With NfSen you can: Display the network traffic situation. Easily navigate through the netflow data. (time based) Drill down from overview to the details down to the specific flows. Profile/monitor specific Networks/Hosts and events. Extensively filtering netflow data. Analyse the netflow data using the web based as well as the command line based interface. Create lots of Top N statistics. Post process the netflow data for reporting and alerting SWITCH 4
3 NfSen 2005 SWITCH 5 NfSen 2005 SWITCH 6
4 NfSen 2005 SWITCH 7 NfSen 2005 SWITCH 8
5 NfSen/nfdump Putting all together: From: To: Summary: monitored:..... Web Front-end Post Processing CLI softflowd pfflowd Input netflow v5, v7 Periodic Update Tasks & Plugins nfdump Backend 2005 SWITCH 9 nfdump nfdump 1.4: Main Netflow Processing Tool: Stores netflow data in time sliced files. CMD line based tool comparable to tcpdump. Written in C! fast. Supports netflow format v5 and v7. Powerful pcap like filter syntax: ( tcp and dst net /16 and src port > 1024 and bytes < 600 ) or ( bps > 1k and Flexible aggregation. Efficient filter engine: > 6 Mio flows/s on 3GHz Intel. Lots of fast statistics Top N Anonymizing of IP addresses. ( Crypto-Pan ) 2005 SWITCH 10
6 nfdump Nfdump: Statistics Processing: Top N statistics about Flow records Any IP addr, src IP addr, dst IP addr Any Port, src Port, dst Port Any AS, src as, dst as Ordered by: Number of Flows Number of Packets Number of Bytes pps ( packets per second ) bps ( bits per second ) bpp ( bytes per packet ) Example: nfdump -r -s record/flows -s ip/packets/bytes/bps -s dstport/flows 2005 SWITCH 11 nfdump nfdump -r /nfcapd n 20 -s ip/bps Top 20 IP Addr ordered by bps: Date first seen Duration IP Addr Flows Packets Bytes pps bps bpp :56: M 2.3 G M :56: M 2.4 G M :56: M 2.0 G M :54: M 2.6 G M :55: M :53: M 3.0 G M :53: M 2.8 G M :58: M :54: M 2.1 G M :56: M :54: M 1.5 G M :52: M 2.1 G M :54: M 1.6 G M :54: M 1.3 G M :54: M 1.4 G M :59: M M :54: M 1.1 G M :54: M 1.0 G M :57: M M :57: M M 979 IP addresses anonymized Time window: Sep :39:52 - Sep :59:56 Flows analysed: matched: , Bytes read: SWITCH 12
7 nfdump nfdump -r /nfcapd o extended -n 20 -s record/pps Top 20 flows ordered by pps: Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows :01: TCP :21 -> :53998.AP M :01: TCP :21 -> :1549.AP M :02: TCP :80 -> :51209.A M :04: TCP : > :42965.AP M :00: TCP :80 -> :32887.A...F M :02: TCP :80 -> :1076.AP M :56: TCP :80 -> :49412.AP..F M :04: TCP : > :56273.AP M :02: TCP :80 -> :1909.A M :00: TCP : > :80.A M :03: TCP :80 -> :3927.AP..F M :58: UDP :53 -> : M :02: TCP :80 -> :16066.A M :02: TCP :80 -> :51090.AP M :02: TCP :80 -> :1638.AP M :01: TCP :80 -> :1394.AP M :03: TCP :80 -> :38613.AP M :02: TCP :80 -> :32895.AP M :01: TCP :80 -> :49764.A M :04: TCP :80 -> :3403.A M IP addresses anonymized Time window: Sep :55:02 - Sep :04:59 Flows analysed: matched: 12128, Bytes read: Sys: 0.054s flows/second: Wall: 0.014s flows/second: SWITCH 13 NfSen in Action Overview - Details - Flows 2005 SWITCH 14
8 NfSen in Action Overview - Details - Flows 2005 SWITCH 15 NfSen in Action Overview - Details - Flows 2005 SWITCH 16
9 NfSen in Action Overview - Details - Flows 2005 SWITCH 17 NfSen Profiles: A profile is a specific view on the netflow data with nfdump filters applied. The profile applies to the graphical as well as to the numerical view. Profiles can be created from data in the past. ( static ) Profiles can be created from incoming data ( continuous ) Any views or processing options are available SWITCH 18
10 NfSen/nfdump Example Profiles: Filter: ( udp or tcp ) and port 53 Filter: bytes < 100 Filters may be as complex as the the filter syntax of nfdump allows. Example: ((src net /16 and src port > 1024 ) or dst host and dst port 80) and packets > 1000 and pps > SWITCH 19 NfSen/nfdump Analyse Incident: 2005 SWITCH 20
11 NfSen/nfdump - Plugins Plugins - what for? Monitoring and alerting. Track for known botnet masters and send notifications. Track for possible scanners or DoS attacks, not necessarily visible in the graph. Port Tracking. Backend Plugins are: Simple Perl modules hooked into the NfSen backend. Automatically called at regular 5 Min intervals. Frontend Plugins are: Simple PHP modules hooked into NfSen frontend. Called by selecting the tab SWITCH 21 NfSen/nfdump NfSen Plugins: Web Front-end Post Processing Frontend Plugins Backend Plugins Periodic Update 2005 SWITCH 22
12 NfSen/nfdump Backend Plugins: = ( ['live', 'CatchDos'], ); 1; package CatchDos; use strict; sub Init { Init plugin } End of Init nfsen.conf Report sub run { my $profile = shift; my $timeslot = shift; Notification.pm } End of run Backend Plugin Runs automatically every 5 min output 2005 SWITCH 23 NfSen/nfdump Example Candidates for scanning activities:. Define a nice filter: We like to see flows containing more than xxx packets my $limit = 6000 ; my $nf_filter = duration < 3500 and packets < 3 and bpp < 100 and src as 559 ; Periodic function input: profilename timeslot. Format yyyymmddhhmm e.g sub run { my $profile = shift; my $timeslot = shift; syslog('debug', "CatchScanners run: Profile: $profile, Time: $timeslot"); my %profileinfo = NfSen::ReadProfile($profile); my $netflow_sources = $profileinfo{'sourcelist'}; process all sources of this profile at once = `$nfdump -M $PROFILEDATADIR/$profile/$netflow_sources -r nfcapd.$timeslot -a -A srcip,dstport -l $limit -f $nf_filter`; Process the output and notify the duty team ( IP addresses anonymised ) 2005 SWITCH 24
13 NfSen/nfdump Example Candidates for scanning activities: The plugin processes data with nfdump arguments and filter: From: To: Subject: Scanners Packet limit: > 6000 packets Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows :29: TCP :0 -> : :29: TCP :0 -> : :29: UDP :0 -> : M :29: TCP :0 -> : :32: TCP :0 -> : :32: TCP :0 -> : M :29: TCP :0 -> : M :29: TCP :0 -> : :29: TCP :0 -> : :29: TCP :0 -> : :29: TCP :0 -> : :29: TCP :0 -> : :29: TCP :0 -> : :29: TCP :0 -> : :29: TCP :0 -> : :29: TCP :0 -> : M :29: TCP :0 -> : :29: TCP :0 -> : ( IP addresses anonymised ) 2005 SWITCH 25 NfSen/nfdump Backend / Frontend Plugins: = ( ['live', 'CatchDos'], ); 1; package CatchDos; use strict; sub Init { Init plugin } End of Init sub run { my $profile = shift; my $timeslot = shift; nfsen.conf /* Port Tracker * Plugin */ function PortTracker_Run($plugi) { $portinfo = GetTopN($plugin_id, $_SESSION["${plugin_id} } // End of PortTracker_Run } End of run Backend Plugin Runs automatically every 5 min output Frontend Plugin 2005 SWITCH 26
14 NfSen Plugins: Port Tracker 2005 SWITCH 27 NfSen Planned Plugin: Host behaviour based worm detection: Result of a PhD network security research work in the context of the DDoSVax project at Swiss Federal Institute of Technology Zurich: Idea: Infected hosts show a different behaviour and can be put into different classes: Traffic class: Worm infected hosts tend to send considerably more traffic than they receive. Responder class: If many more hosts start to answer requests, they probably are victims of a worm. Connector class: Worm infected hosts typically open many connections SWITCH 28
15 NfSen DDoS Vax Host behaviour based worm detection: Example: MyDoom.A Traffic (T) T"C T"R"C Connector (C) T"R R"C Responder (R) no class Most interesing for worm detection are cardinalities of class combinations SWITCH 29 NfSen/nfdump SWITCH: Server: 2 x 3GHz 2GB Ram. Debian Linux Kernel TB ( 2TB + 1TB ) AXUS Disk Raid XFS file system. Gigabit Ethernet interfaces. 5min workload avg. ca. 5%. 25GB Netflow data / day. About 41 days of netflow data available SWITCH 30
16 NfSen/nfdump Next Steps - Todo list: NfSen: More Plugins: Alerting Plugin. Anomaly Detection Plugin. ( DDoS VAX Project ETH Zürich ) Portocol, AS Tracker.. nfdump: Netflow v9 IPv6 Related filters: Worm Footprint Tracking first { dst ip <A> dst port 445 bytes > 600 } then { src ip <A> and dst ip and dst port 80 } Post Processing Filters etc SWITCH 31 NfSen/nfdump Summary: Good and flexible tools for all sort of netflow tasks. Network monitoring. Incident Handling. All sort of tracking Open Source Tools under BSD License. Cmd line tool: nfdump Written in C. Runs on most *nix. Tested on Linux Kernel 2.4.* and 2.6.*, FreeBSD, OpenBSD, Solaris. Available at Web based frontend: NfSen Written in PHP and Perl. Extendable using plugins. Available at Possible candidate for the toolset in GN2/JRA SWITCH 32
17 NFSEN 2005 SWITCH 33
Network Management & Monitoring
Network Management & Monitoring NfSen These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) What is NfSen
More informationIntroduction to Netflow
Introduction to Netflow Campus Network Design & Operations Workshop These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationNetwork Management and Monitoring
Network Management and Monitoring Introduction to Netflow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationListening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect
Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect Introduction Security has an increased focus from ALL businesses, whether they
More informationLarge-Scale Geolocation for NetFlow
Large-Scale Geolocation for NetFlow Pavel Čeleda, Petr Velan, Martin Rábek Rick Hofstede, Aiko Pras {celeda velan xrabek1}@ics.muni.cz, {r.j.hofstede a.pras}@utwente.nl IFIP/IEEE IM 2013, 27-31 May 2013,
More information[Optional] Network Visibility with NetFlow
Old Lab [Optional] Network COSC301 Laboratory Manual This lab hasn't been run recently, so no guarantees are made regarding the commands and their output. In this lab, we shall investigate network visibility
More informationTools for Security Analysis of Traffic on L7 Practical course
www.liberouter.org Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST Regional Symposium for Europe Security Tools as a Service Flow monitoring overview Flow
More informationAnomaly detection for NFSen/nfdump netflow engine - with Holt-Winters algorithm
Anomaly detection for NFSen/nfdump netflow engine - with Holt-Winters algorithm János Mohácsi, Gábor Kiss NIIF/HUNGARNET Motivation Usual work of CSIRT teams: Find abnormal behaviour Visual detection of
More informationStager. A Web Based Application for Presenting Network Statistics. Arne Øslebø
Stager A Web Based Application for Presenting Network Statistics Arne Øslebø Keywords: Network monitoring, web application, NetFlow, network statistics Abstract Stager is a web based
More information1 STUDENT LEARNING OUTCOMES 2 INTRODUCTION
CIT 485/585 Netflow Analysis The objective of this assignment is to learn how to use flow records to understand what is happening on the network. While flow records cannot reveal the content of data transferred,
More informationUsing Flexible NetFlow Top N Talkers to Analyze Network Traffic
Using Flexible NetFlow Top N Talkers to Analyze Network Traffic Last Updated: September 4, 2012 This document contains information about and instructions for using the Flexible NetFlow--Top N Talkers Support
More informationFlow-based Accounting: Applications and Standardisation
Flow-based Accounting: Applications and Standardisation SCAMPI Workshop May 3, 2004 Simon Leinen, SWITCH Flow-based Accounting - Basic Idea Classify packets into flows (equivalence classes)
More informationCAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes
CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes Martin Rehak, Pavel Celeda, Michal Pechoucek, Jiri Novotny CESNET, z. s. p. o. Gerstner Laboratory
More informationMonitoring and Threat Detection
Monitoring and Threat Detection with Netflow Michael Belan Consulting Systems Engineer Cisco GSSO January 2017 AGENDA What is SW? Where does it fit in overall Cisco Security framework? What is SW? What
More informationFlexible NetFlow - Top N Talkers Support
This document contains information about and instructions for using the Flexible NetFlow - Top N Talkers Support feature. The feature helps you analyze the large amount of data that Flexible NetFlow captures
More information6.1. Getting Started Guide
6.1 Getting Started Guide Netmon Getting Started Guide 2 Contents Contents... 2 Appliance Installation... 3 IP Address Assignment (Optional)... 3 Logging In For the First Time... 5 Initial Setup... 6 License
More informationIBM Aurora Flow-Based Network Profiling System
IBM Aurora Flow-Based Network Profiling System Technical Aspects http://www.zurich.ibm.com/aurora/ Email: Jeroen Massar SwiNOG #15 4 December 2007 www.zurich.ibm.com/aurora
More informationMulti-phase IRC Botnet & Botnet Behavior Detection Model
Software Verification and Validation Multi-phase IRC Botnet & Botnet Behavior Detection Model Aymen AlAwadi aymen@tmit.bme.hu Budapest university of technology and economics Department of Telecommunications
More informationFlow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018
Flow Measurement For IT, Security and IoT/ICS Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018 What is Flow Data? Modern method for network monitoring flow
More informationNetFlow Monitoring. NetFlow Monitoring
, page 1 NetFlow Limitations, page 2 Creating a Flow Record Definition, page 3 Viewing Flow Record Definitions, page 4 Defining the Exporter Profile, page 4 Creating a Flow Collector, page 5 Creating a
More informationConfiguring Application Visibility and Control for Cisco Flexible Netflow
Configuring Application Visibility and Control for Cisco Flexible Netflow First published: July 22, 2011 This guide contains information about the Cisco Application Visibility and Control feature. It also
More informationWhat are network flows? Using Argus and Postgres to analyse network flows for security
Using Argus and Postgres to analyse network flows for security David Ford OxCERT Oxford University Computer Services What are network flows? A convenient way of representing traffic on your network Contain
More informationFlow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone
Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone Thomas Dübendorfer, Arno Wagner, Theus Hossmann, Bernhard Plattner ETH Zurich, Switzerland duebendorfer@tik.ee.ethz.ch
More informationFlows at Masaryk University Brno
Flows at Masaryk University Brno Jan Vykopal Masaryk University Institute of Computer Science GEANT3/NA3/T4 meeting October 21st, 2009, Belgrade Masaryk University, Brno, Czech Republic The 2nd largest
More informationInterested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without
More informationConfiguring NetFlow. Information About NetFlow. Send document comments to CHAPTER
CHAPTER 11 Use this chapter to configure NetFlow to characterize IP traffic based on its source, traffic destination, timing, and application information, giving visibility into traffic transiting the
More informationCisco Stealthwatch. Internal Alarm IDs 7.0
Cisco Stealthwatch Internal Alarm IDs 7.0 Stealthwatch Internal Alarm IDs Some previously used alarms are now obsolete and no longer listed in this file. 1 Host Lock Violation 5 SYN Flood 6 UDP Flood 7
More informationConfiguring IP Services
This module describes how to configure optional IP services. For a complete description of the IP services commands in this chapter, refer to the Cisco IOS IP Application Services Command Reference. To
More informationConfiguring Anomaly Detection
CHAPTER 9 This chapter describes anomaly detection and its features and how to configure them. It contains the following topics: Understanding Security Policies, page 9-2 Understanding Anomaly Detection,
More informationKUPF: 2-Phase Selection Model of Classification Records
KUPF: 2-Phase Selection Model of Classification Records KAKIUCHI Masatoshi Nara Institute of Science and Technology Background Many Internet services classify the data to be handled according to rules
More informationConfiguring NetFlow. Information About NetFlow. What is a Flow. This chapter contains the following sections:
This chapter contains the following sections: Information About NetFlow, page 1 Guidelines and Limitations for NetFlow, page 9 Default Settings for NetFlow, page 10 Enabling the NetFlow Feature, page 11
More informationPacket Capturing with TCPDUMP command in Linux
Packet Capturing with TCPDUMP command in Linux In this tutorial we will be looking into a very well known tool in Linux system administrators tool box. Some times during troubleshooting this tool proves
More informationConfiguring NetFlow. NetFlow Overview
NetFlow Overview NetFlow identifies packet flows for ingress IP packets and provides statistics based on these packet flows. NetFlow does not require any change to either the packets themselves or to any
More informationAvi Networks Technical Reference (17.2)
Page 1 of 5 Packet Capture view online Most troubleshooting of connection or traffic data may be done quickly via virtual service logs. However, some troubleshooting may require full visibility into the
More informationConfiguring Anomaly Detection
CHAPTER 9 Caution Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see only one direction of traffic, you should turn off anomaly detection. Otherwise, when
More informationSDN-based Network Obfuscation. Roland Meier PhD Student ETH Zürich
SDN-based Network Obfuscation Roland Meier PhD Student ETH Zürich This Talk This thesis vs. existing solutions Alice Bob source: Alice destination: Bob Hi Bob, Hi Bob, Payload encryption ǾǼōĦ
More informationFlowMatrix Tutorial. FlowMatrix modus operandi
FlowMatrix Tutorial A message from the creators: When developing FlowMatrix our main goal was to provide a better and more affordable network anomaly detection and network behavior analysis tool for network
More informationSecurity Monitoring and Investigation
Security Monitoring and Investigation Paul Haskell-Dowland Edith Cowan University Overview Awareness of assets Introduction to monitoring SNMP Netflow Intrusion detection Investigation WHAT ARE YOU PROTECTING?
More informationExperiences with IPFIX-based Traffic Measurement for IPv6 Networks. Nakjung Choi, Hyeongu Son*, Youngseok Lee* and Yanghee Choi
Experiences with IPFIX-based Traffic Measurement for IPv6 Networks Nakjung Choi, Hyeongu Son*, Youngseok Lee* and Yanghee Choi Seoul National Univ *Chungnam National Univ 27. 8. 31 (Fri) SIGCOMM 27 IPv6
More informationCisco IOS Flexible NetFlow Command Reference
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION
More informationTrisul Network Analytics - Traffic Analyzer
Trisul Network Analytics - Traffic Analyzer Using this information the Trisul Network Analytics Netfllow for ISP solution provides information to assist the following operation groups: Network Operations
More informationUsing NetFlow Sampling to Select the Network Traffic to Track
Using NetFlow Sampling to Select the Network Traffic to Track This module contains information about and instructions for selecting the network traffic to track through the use of NetFlow sampling. The
More informationCovert channel detection using flow-data
Covert channel detection using flow-data Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam July 3, 2014 Guido Pineda Reyes (UvA) Covert channel detection using flow-data
More informationGÉANT2 Security: Year 1 (aka JRA2)
GÉANT2 Security: Year 1 (aka JRA2) Christoph Graf, SWITCH TF-CSIRT, Lisbon 16 September 2005 Introduction JRA2 aims at: improving the overall security within the GÉANT2 community JRA2 fits into GÉANT2
More informationNetwork Element Configuration
The following describes how to configure Flexible NetFlow and NTP servers on your ISR. Configuring a Network Element, page 1 NTP Configuration, page 1 NetFlow Configuration, page 2 Configuring a Network
More informationDetection of DNS Traffic Anomalies in Large Networks
Detection of Traffic Anomalies in Large Networks Milan Čermák, Pavel Čeleda, Jan Vykopal {cermak celeda vykopal}@ics.muni.cz 20th Eunice Open European Summer School and Conference 2014 1-5 September 2014,
More informationMonitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;
NetVizura NetFlow Analyzer enables you to collect, store and analyze network traffic data by utilizing Cisco NetFlow, IPFIX, NSEL, sflow and compatible netflow-like protocols. It allows you to visualize
More informationFloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer
10 January 2017 FloCon 2017 San Diego, CA Netflow Collection and Analysis at a Tier 1 Internet Peering Point Fred Stringer AT&T Chief Security Organization Systems Engineer/Network Architect AT&T Intellectual
More informationCisco Nexus 7000 Series Architecture: Built-in Wireshark Capability for Network Visibility and Control
White Paper Cisco Nexus 7000 Series Architecture: Built-in Wireshark Capability for Network Visibility and Control What You Will Learn The Cisco Nexus 7000 Series Switches combine the highest levels of
More informationDetecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0
Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0 April 9, 2012 Comments and errata should be directed to: cyber- tm@cisco.com Introduction One of the most common network
More informationHistory Page. Barracuda NextGen Firewall F
The Firewall > History page is very useful for troubleshooting. It provides information for all traffic that has passed through the Barracuda NG Firewall. It also provides messages that state why traffic
More informationMonitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks
Monitoring and diagnostics of data infrastructure problems in power engineering Jaroslav Stusak, Sales Director CEE, Flowmon Networks 35,000 kilometers of electric power, which feeds around 740,000 clients...
More informationMuhammad Farooq-i-Azam CHASE-2006 Lahore
Muhammad Farooq-i-Azam CHASE-2006 Lahore Overview Theory Existing Sniffers in action Switched Environment ARP Protocol and Exploitation Develop it yourself 2 Network Traffic Computers and network devices
More informationStealthwatch System v6.9.0 Internal Alarm IDs
Stealthwatch System v6.9.0 Internal Alarm IDs Copyrights and Trademarks 2017 Cisco Systems, Inc. All rights reserved. NOTICE THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE
More informationTechnical Report CIDDS-002 data set
Technical Report CIDDS-002 data set Markus Ring and Sarah Wunderlich October 25, 2017 CIDDS-002 (Coburg Intrusion Detection Data Set) [4] is a labelled flowbased port scan data set for evaluation of anomaly
More informationChallenges in Answering Infosec Questions at Scale. Alexander Barsamian John Murphy
Challenges in Answering Infosec Questions at Scale Alexander Barsamian John Murphy Answering Infosec Questions for Large Networks NetFlow-based analysis At scale == 100 Gbps and up ~125 K flow updates
More informationOverview of nicter - R&D project against Cyber Attacks in Japan -
Overview of nicter - R&D project against Cyber Attacks in Japan - Daisuke INOUE Cybersecurity Laboratory Network Security Research Institute (NSRI) National Institute of Information and Communications
More informationHPE IMC NTA/UBA Cisco Network Traffic Monitoring Through NetFlow Configuration Examples
HPE IMC NTA/UBA Cisco Network Traffic Monitoring Through NetFlow Configuration Examples Part number: 5200-4121 Software version: IMC NTA 7.3 (E0503) Software version: IMC UBA 7.3 (E0503) The information
More informationIntegrated Security Incident Management Concepts & Real world experiences
Integrated Security Incident Management Concepts & Real world experiences Stefan Metzger, Dr. Wolfgang Hommel, Dr. Helmut Reiser 6th International Conference on IT Security Incident Management & IT Forensics
More informationUsing NetFlow Sampling to Select the Network Traffic to Track
Using NetFlow Sampling to Select the Network Traffic to Track Last Updated: September 17, 2012 This module contains information about and instructions for selecting the network traffic to track through
More informationConfiguring NetFlow. About NetFlow. This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.
This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices. About NetFlow, page 1 Licensing Requirements for NetFlow, page 4 Prerequisites for NetFlow, page 4 Guidelines and Limitations
More informationFlow-Based per Port-Channel Load Balancing
The feature allows different flows of traffic over a Gigabit EtherChannel (GEC) interface to be identified based on the packet header and then mapped to the different member links of the port channel.
More informationConfiguring Traffic Mirroring
This module describes the configuration of the traffic mirroring feature. Traffic mirroring is sometimes called port mirroring, or switched port analyzer (SPAN). Feature History for Traffic Mirroring Release
More informationNetwork Data Capture in Honeynets
Berkeley Packet Capture () and Related Technologies : An Introduction ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) http://www.csrrt.org/ March 13, 2009 Introduction 2 3 4 5 5
More informationCisco ASR 9000 Series Aggregation Services Router Netflow Command Reference, Release 4.3.x
Cisco ASR 9000 Series Aggregation Services Router Netflow Command Reference, Release 4.3.x First Published: 2012-12-01 Last Modified: 2013-05-01 Americas Headquarters Cisco Systems, Inc. 170 West Tasman
More informationConfiguring NetFlow. NetFlow Overview
NetFlow identifies packet flows for ingress IP packets and provides statistics based on these packet flows. NetFlow does not require any change to either the packets themselves or to any networking device.
More informationValidation of the Network-based Dictionary Attack Detection
Validation of the Network-based Dictionary Attack Detection Jan Vykopal vykopal@ics.muni.cz Tomáš Plesník plesnik@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic Pavel
More informationDDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (www.trenka.ch)
DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (www.trenka.ch) Pavel Minarik, Chief Technology Officer SwiNOG meeting, 9 th Nov 2017 Backbone DDoS protection Backbone protection
More informationUsing Flexible NetFlow Flow Sampling
This document contains information about and instructions for configuring sampling to reduce the CPU overhead of analyzing traffic with Flexible NetFlow. NetFlow is a Cisco technology that provides statistics
More informationUsing Flexible NetFlow Flow Sampling
This document contains information about and instructions for configuring sampling to reduce the CPU overhead of analyzing traffic with Flexible NetFlow. NetFlow is a Cisco technology that provides statistics
More informationConfiguring NetFlow Statistics Collection
38 CHAPTER This chapter describes how to configure NetFlow statistics on the Catalyst 4500 series switches. It also provides guidelines, procedures, and configuration examples. This feature is only available
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Dr. Nils
More informationTechnical Report CIDDS-001 data set
Technical Report CIDDS-001 data set Markus Ring, Sarah Wunderlich and Dominik Grüdl April 28, 2017 CIDDS-001 (Coburg Intrusion Detection Data Set) [2] is a labelled flowbased data set for evaluation of
More informationFirewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.
Firews and NAT 1 Firews By conventional definition, a firew is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firew isolates organization
More informationOpen Source Traffic Analyzer
Open Source Traffic Analyzer Daniel Turull June 2010 Outline 1 Introduction 2 Background study 3 Design 4 Implementation 5 Evaluation 6 Conclusions 7 Demo Outline 1 Introduction 2 Background study 3 Design
More informationConfiguring Logging for Access Lists
CHAPTER 17 This chapter describes how to configure access list logging for extended access lists and Webytpe access lists, and it describes how to manage deny flows. This section includes the following
More informationUsing NetFlow Filtering or Sampling to Select the Network Traffic to Track
Using NetFlow Filtering or Sampling to Select the Network Traffic to Track First Published: June 19, 2006 Last Updated: December 17, 2010 This module contains information about and instructions for selecting
More informationDDoS Testing with XM-2G. Step by Step Guide
DDoS Testing with XM-G Step by Step Guide DDoS DEFINED Distributed Denial of Service (DDoS) Multiple compromised systems usually infected with a Trojan are used to target a single system causing a Denial
More informationConfiguring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands
Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands This module contains information about and instructions for configuring NetFlow Top Talkers feature. The NetFlow Top Talkers
More informationDetecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0
Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0 April 9, 2012 Introduction One of the earliest indicators of an impending network attack is the presence of network reconnaissance.
More informationBIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?
BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja? Tarmo Mamers Heigo Mansberg Network Firewall Imagery stackexchange.com Network Firewall Functions Network Firewall Traffic OUTSIDE INSIDE INBOUND
More informationEduard Glatz Computer Engineering and Networks Laboratory ETH Zurich (Switzerland)
Visualizing Host Traffic through Graphs Eduard Glatz Computer Engineering and Networks Laboratory ETH Zurich (Switzerland) eglatz@tik.ee.ethz.ch VizSec 2010 Sept. 14, 2010 Motivation Research in behavioural
More informationImplementing Coarse, Long- Term Traffic Capture
Implementing Coarse, Long- Term Traffic Capture Michael Collins, CERT/Network Situational Awareness 2005 Carnegie Mellon University Outline of Talk Introduction To Work Logistics of Traffic Analysis Implementing
More informationtcp6 v1.2 manual pages
tcp6 v1.2 manual pages Description This tool allows the assessment of IPv6 implementations with respect to a variety of attack vectors based on TCP/IPv6 segments. This tool is part of the IPv6 Toolkit
More informationNetwork Forensic Analysis
Berkeley Packet Capture () and Related Technologies : An Introduction alexandre.dulaunoy@circl.lu November 29, 2012 Introduction 2 3 4 5 5 bis 6 7 2/2 Where can we capture the network data? a layered approach
More informationjumbo6 v1.2 manual pages
jumbo6 v1.2 manual pages Description This tool allows the assessment of IPv6 implementations with respect to attack vectors based on IPv6 jumbograms. This tool is part of the IPv6 Toolkit v1.2: a security
More informationThis release of the product includes these new features that have been added since NGFW 5.5.
Release Notes Revision B McAfee Next Generation Firewall 5.7.4 Contents About this release New features Enhancements Known limitations Resolved issues System requirements Installation instructions Upgrade
More informationExposing server performance to network managers through passive network measurements
Exposing server performance to network managers through passive network measurements Jeff Terrell Dept. of Computer Science University of North Carolina at Chapel Hill October 19, 2008 1 databases web
More informationHardware-Accelerated Flexible Flow Measurement
Hardware-Accelerated Flexible Flow Measurement Pavel Čeleda celeda@liberouter.org Martin Žádník zadnik@liberouter.org Lukáš Solanka solanka@liberouter.org Part I Introduction and Related Work Čeleda, Žádník,
More informationNetwork Based Peer-To-Peer Botnet Detection
Network Based Peer-To-Peer Botnet Detection Yonas Alehegn 1, Dr. T. Pandikumar 2, Abdulkadir Hassen 3 1Information System Security Office, Bank of Abyssinia 2 Department of CIT, College of Engineering,
More informationForescout. Configuration Guide. Version 3.5
Forescout Version 3.5 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationUnderstanding And Using Custom Queries
Purpose This document describes how to use the full flexibility of Nagios to get the most out of your network flow data. Target Audience Network admins performing forensic analysis on a network's flow
More informationConfiguring Anomaly Detection
CHAPTER 12 This chapter describes how to create multiple security policies and apply them to individual virtual sensors. It contains the following sections: Understanding Policies, page 12-1 Anomaly Detection
More informationConfiguring Traffic Mirroring
This module describes the configuration of the traffic mirroring feature. Traffic mirroring is sometimes called port mirroring, or switched port analyzer (SPAN). Feature History for Traffic Mirroring Release
More informationBGP Event-Based VPN Import
BGP Event-Based VPN Import Last Updated: April 13, 2012 The BGP Event-Based VPN Import feature introduces a modification to the existing Border Gateway Protocol (BGP) path import process. The enhanced
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Chapter 7 - Network Measurements Introduction Architecture & Mechanisms
More informationNetwork Intrusion Analysis (Hands on)
Network Intrusion Analysis (Hands on) TCP/IP protocol suite is the core of the Internet and it is vital to understand how it works together, its strengths and weaknesses and how it can be used to detect
More informationConfiguring Logging for Access Lists
CHAPTER 20 This chapter describes how to configure access list logging for extended access lists and Webytpe access lists, and it describes how to manage deny flows. This chapter includes the following
More informationConfiguring AVC to Monitor MACE Metrics
This feature is designed to analyze and measure network traffic for WAAS Express. Application Visibility and Control (AVC) provides visibility for various applications and the network to central network
More informationLesson 9 OpenFlow. Objectives :
1 Lesson 9 Objectives : is new technology developed in 2004 which introduce Flow for D-plane. The Flow can be defined any combinations of Source/Destination MAC, VLAN Tag, IP address or port number etc.
More information