Fun With Flow presented at ShmooCon 2011

by Richard Friedberg,

Tags: Security Monitoring Analysis


Summary : While many people use netflow for network monitoring or billing, it is also quite useful for detecting malicious network activity. After a quick recap of pros and cons, we'll cover how you can build a sensor and storage system using open source tools such as YAF (Yet Another Flowmeter) and SiLK (System for Internet Level Knowledge), and then move into how you can use these tools to find cool stuff (using recent threats/attacks as examples). We'll demonstrate some of these capabilities, show you some pretty visualizations and help you get started performing analysis on your own networks. We’ll also touch on productive ways to fuse flow data with other data sets for more in-depth analytics, and some recent code releases that may change the way you think about using flow. This talk will be a cliff notes version of interesting things you can do with flow to increase the effectiveness of your security monitoring efforts for free. Tools used for the presentation are open source and will be available at If possible we’ll demonstrate some of these tools and analysis techniques on data from the Shmoo conference network.

Richard Friedberg: Rich Friedberg works in the Network Situational Awareness team at CERT, part of the Software Engineering Institute at Carnegie Mellon University. He spends his days helping to develop engineering solutions and research approaches for analyzing network activity for large-scale environments. Prior to joining CERT he spent 10 years working in the financial sector for network and security teams. Rich holds a BS from Carnegie Mellon, an MBA from George Washington, and various security certifications. In his free time, he spends too much time in airports, not enough time drinking, and is still trying to break his IRC addiction.