search menu icon-carat-right cmu-wordmark

Network Profiling Using Flow

August 2012 Technical Report
Austin Whisnant, Sid Faber

In this report, the authors provide a step-by-step guide for profiling and discovering public-facing assets on a network using netflow data.

Publisher:

Software Engineering Institute

CMU/SEI Report Number

CMU/SEI-2012-TR-006

Abstract

This report provides a step-by-step guide for profiling—discovering public-facing assets on a network—using network flow (netflow) data. Netflow data can be used for forensic purposes, for finding malicious activity, and for determining appropriate prioritization settings. The goal of this report is to create a profile to see a potential attacker’s view of an external network. Readers will learn how to choose a data set, find the top assets and services with the most traffic on the network, and profile several services. A case study provides an example of the profiling process. The underlying concepts of using netflow data are presented so that readers can apply the approach to other cases. A reader using this report to profile a network can expect to end with a list of public-facing assets and the ports on which each is communicating and may also learn other pertinent information, such as external IP addresses, to which the asset is connecting. This report also provides ideas for using, maintaining, and reporting on findings. The appendices include an example profile and scripts for running the commands in the report. The scripts are a summary only and cannot replace reading and understanding this report.

Listen to the podcast from CERT's Podcast Series about this report.