2. Infosec Enthusiast
Incident Response/Digital Forensics Analyst
Speaker/Volunteer at Null and OWASP
chapters
AM – IT Security (Just a position, for the
records)
Travelling, Trekking, Infosec brainstorming
GCFA Certified, SANS Lethal Forensicator
Award
3. A series of packets on a network that have common attributes
Just metadata – No contents
Much like a phone bill – You know, who called who but not
what was said
Is not a replacement for full packet capture
4.
5.
6. Exporter – Uses UDP (Standard port 2055) for sending
packets to Collectors
Collectors – Positioning is the key
Storage – Understand the requirements and the size of
storage based on the need
Analysis Console – usually a thin client – browser
based. Performance hungry
7. Identify the critical data
Understand the network diagram
Identify choke and critical nodes
Identify critical datacenters
Plan Netflow exporters and packet capture
points
Confirm legal and regulatory compliance
Security teams may prefer to use their own
Netflow server and storage solution
9. A set of tools to collect and process netflow data
Supports netflow versions v1, v5, v7, v9 and IPFIX
Fully IPv6 compatible
Stores netflow data in time sliced files – rotates typically every
5 minutes i.e. 288 files per day in nfcapd.YYYYMmddhhmm
format
Command line based tool compatible to tcpdump
Top N statistics for packets, bytes, IP addresses, ports…
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2005-08-30 06:59:52.338 0.001 UDP 36.249.80.226:3040 -> 92.98.219.116:1434 1 404 1
10.
11. NfSen is a graphical web based front end for the Nfdump
netflow tools
Graph specific profiles
• Track hosts, ports etc. from live data
• Profile hosts involved in incidents from history data
Analyze a specific time window
Web based
Automatic alerting
Flexible extensions using plugins
14. Understand the netflow basics
Netflow Analysis with open source tools
Ideas for setting up test lab
Testing and Deployment in VM
Replicate to Production environment