While many people use netflow for network monitoring or billing, it is also quite useful for detecting malicious network activity. After a quick recap of pros and cons, we'll cover how you can build a sensor and storage system using open source tools such as YAF (Yet Another Flowmeter) and SiLK (System for Internet Level Knowledge), and then move into how you can use these tools to find cool stuff (using recent threats/attacks as examples). We'll demonstrate some of these capabilities, show you some pretty visualizations and help you get started performing analysis on your own networks. We'll also touch on productive ways to fuse flow data with other data sets for more in-depth analytics, and some recent code releases that may change the way you think about using flow. This talk will be a cliff notes version of interesting things you can do with flow to increase the effectiveness of your security monitoring efforts for free. Tools used for the presentation are open source and will be available at http://tools.netsa.cert.org. If possible we'll demonstrate some of these tools and analysis techniques on data from the Shmoo conference network.
This presentation was given at ShmooCon 2011, which took place in Washington, DC, January 28-30, 2011.