akde/infosec

Information security is ultimately about managing risk

Network Flow Data analysis

, ,

Use cas­es

  • Detec­tion of con­nec­tions to known bad servers 
    • If we detect­ed a mal­ware and know a C&C serv­er, we can search through his­tor­i­cal flow data to detect oth­er pos­si­ble infect­ed systems.
  • Atipi­cal data trans­fer volume 
    • Could lead to a data exfiltration.
  • Long liv­ing connections 
    • Often, this is an indi­ca­tor for a C&C con­nec­tion, which stays open for a very long time.

Tools

Stan­dard unix tools like awk can also been used with a cat of a flow file.

nfdump

SiLK

argus

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';