Welcome    Why?    Training    Games    ChangeBlog    External Resources    Submit Content


Flow Analysis & Network Hunting

Creator:     Michael McFail and Ben Actis

License:    Creative Commons: Attribution, Share-Alike


Class Prerequisites: Knowledge of TCP/IP

Lab Requirements: The VM below provides the tools and some basic example data, but you should collect your own data and analyze it within this VM (because not all data used in the class videos was releasable)

Class Textbook: None

Recommended Class Duration: 1 day

Creator Available to Teach In-Person Classes: No

Author Comments:

This course focuses on network analysis and hunting of malicious activity from a security operations center perspective. We will dive into the netflow strengths, operational limitations of netflow, recommended sensor placement, netflow tools, visualization of network data, analytic trade craft for network situational awareness and networking hunting scenarios.

Course Objectives:

* Provide an understanding of the netflow data format

* Describe common netflow collection, analysis, and visualization tools

* Cover situational awareness and hunting analytic tradecraft

* Fuse netflow with other data sources

Special thanks to Jon Ferretti for reviewing the videos for public release.

Class Materials

Slides (153 slides)

Ubuntu VM (direct download) (.torrent) (VMWare) with netflow analysis tools on it
  1. -md5 = da1f6fefcbd21c8257708eb1cefb06b3

  2. -username / password = student / ilikenetflow

  3. -about 5.6GB compressed, about 13GB uncompressed

Full quality downloadable QuickTime, h.264, and Ogg videos at Archive.org:

Part 1 - Intro (20:23, 147 MB)

Part 2 - YAF (16:36, 111 MB)

Part 3 - Silk (29:12, 255 MB)

Part 4 - iSilk (17:30, 119 MB)

Part 5 - Argus (9:31, 79 MB)

Part 6 - Bro (26:26, 213 MB)

Part 7 - Analytics - Situational Awareness 1 (18:22, 133 MB)

Part 8 - Analytics - Situational Awareness 2 (18:10, 117 MB)

Part 9 - Analytics - Hunting (19:55, 134 MB)

Part 10 - Analytics - Data Fusion (20:27, 115 MB)

(3:16:54 total, sans lab time)

The videos are useful for students, but also more useful for potential instructors who would like to teach this material. By watching the video, you will better understand the intent of some slides which do not stand on their own. You are recommended to watch the largest size video so that the most possible text is visible without having to follow along in the slides.

Revision History:

07-10-2013 - Added the class VM

07-08-2013 - Initial class content upload w/ 1 day of videos

If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.