{"id":4564,"date":"2025-03-17T15:27:55","date_gmt":"2025-03-17T14:27:55","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=4564"},"modified":"2025-03-17T15:38:29","modified_gmt":"2025-03-17T14:38:29","slug":"network-flow-data-analysis","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=4564","title":{"rendered":"Network Flow Data analysis"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Use cas\u00ades<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detec\u00adtion of con\u00adnec\u00adtions to known bad servers&nbsp;<ul class=\"wp-block-list\">\n<li>If we detect\u00aded a mal\u00adware and know a C<span class=\"amp\">&amp;<\/span>C serv\u00ader, we can search through his\u00adtor\u00adi\u00adcal flow data to detect oth\u00ader pos\u00adsi\u00adble infect\u00aded systems.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Atipi\u00adcal data trans\u00adfer volume&nbsp;<ul class=\"wp-block-list\">\n<li>Could lead to a data exfiltration.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Long liv\u00ading connections&nbsp;<ul class=\"wp-block-list\">\n<li>Often, this is an indi\u00adca\u00adtor for a C<span class=\"amp\">&amp;<\/span>C con\u00adnec\u00adtion, which stays open for a very long&nbsp;time.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Tools<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Stan\u00addard unix tools like awk can also been used with a cat of a flow&nbsp;file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">nfdump<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SiLK<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">argus<\/h3>\n","protected":false},"excerpt":{"rendered":"<p>Use cas\u00ades Tools Stan\u00addard unix tools like awk can also been used with a cat of a flow&nbsp;file. nfdump SiLK&nbsp;argus<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[476,512,517],"tags":[521],"class_list":["post-4564","post","type-post","status-publish","format-standard","hentry","category-defence-tool","category-incident-response","category-incident-response-training-march-2025","tag-flow-data"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4564","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4564"}],"version-history":[{"count":3,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4564\/revisions"}],"predecessor-version":[{"id":4572,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4564\/revisions\/4572"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}