Collection and Detection with Flow Data - A Follow Up

Explore network security monitoring techniques in this 53-minute conference talk from BSides Nashville 2016. Dive into the comparison between full PCAP and flow data, learning how to build, generate, and collect flow records. Discover various flow data tools, with a focus on SILK collection architecture and FlowBAT analysis. Learn to install and use SILK for tasks like rwfilter, rwcut, and PCAP conversion. Master FlowBAT installation and analysis techniques, including filtering, stats, and dashboard creation. Gain insights on identifying services, analyzing PCAP files, and implementing network flow automation. Conclude with an introduction to Flow Plotter, enhancing your skills in applied network security monitoring.

Intro
Jason Smith
Applied Network Security Monitoring
Agenda
Full PCAP vs. Flow Data
Building Flow Records
Generating Flow Data
Collecting Flow Data
Flow Data Tool Comparisons
SILK Collection Architecture
Getting Started with Flows
SILK - Install
SILK Analysis - rwfilter / rwcut
SILK Analysis - PCAP Conversion
SILK Analysis - Output Examples
FlowBAT - Install
FlowBAT Analysis - Filtering
FlowBAT Analysis - Stats
FlowBAT Analysis - Dashboard Using the 24 hour graph and periodically executing
FlowBAT Analysis - Non-Standard Ports Discovering outbound data to applications using nonstandard ports.
Identifying Services
Analyzing PCAP Files PCAPs need to exist on the FlowBAT server
Network Flow Automation
Flow Plotter
Conclusion