Network Situational Awareness with Flow Data

Explore network situational awareness using flow data in this comprehensive conference talk from BSides Augusta 2016. Dive into the comparison between full PCAP and flow data, learning how to build, generate, and collect flow records. Discover various flow data tools, with a focus on SILK and FlowBAT. Follow along with installation processes and practical analysis techniques for both tools. Gain insights into identifying services, analyzing PCAP files, and implementing network flow automation. Conclude with an introduction to Flow Plotter and its applications in enhancing network security monitoring.

Syllabus

Intro
Jason Smith
Applied Network Security Monitoring
Not on the Agenda
Full PCAP vs. Flow Data
Building Flow Records
Generating Flow Data
Collecting Flow Data
Flow Data Tool Comparisons
SILK and FlowBAT
SILK Collection Architecture
Getting Started with Flows
SILK - Install
SILK Analysis - PCAP Conversion
SILK Analysis - Output Examples
FlowBAT - Install
FlowBAT Analysis - Filtering
FlowBAT Analysis - Stats
FlowBAT Analysis - Non-Standard Ports Discovering outbound data to applications using nonstandard ports
Identifying Services
Analyzing PCAP Files PCAPs need to exist on the FlowBAT server
Network Flow Automation
Flow Plotter
Conclusion