Network security monitoring working group

Similar documents
Automatic Network Protection Scenarios Using NetFlow

Flow-based detection of RDP brute-force attacks

FlowMon. Complete solution for network monitoring and security. INVEA-TECH

Detecting Botnets with NetFlow

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

Comprehensive IP Traffic Monitoring with FTAS System

How To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free)

Dynamic Honeypot Construction

How To Monitor Attackers On A Network On A Computer Or Network On An Uniden Computer (For Free) (For A Limited Time) (Czechian) (Cybercrime) (Uk) (Cek) (Kolomot

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

FORTHcert. Internet-Sicherheit fördern kritische Infrastrukturen schützen. Foundation for Research and Technology Hellas Institute of Computer Science

Network Monitoring and Management NetFlow Overview

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Monitoring backbone networks

SolarWinds Log & Event Manager

Large-Scale Geolocation for NetFlow

Pilot Deployment of Metering Points at CESNET Border Links

NfSen Plugin Supporting The Virtual Network Monitoring

How to configure an Advanced Expert Probe as NetFlow Collector

Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool

Introduction to Netflow

How To Manage Ipv6 Networks On A Network With Ipvv6 (Ipv6) On A Pc Or Ipv4 (Ip6) (Ip V6) Or Ip V6 ( Ipv5) ( Ip V5

Autonomous NetFlow Probe

VoIP Fraud and Misuse

DDoS Mitigation Techniques

Linux Network Security

A Whirlwind Introduction to Honeypots

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

Take the NetFlow Challenge!

SSHCure. A Flow-Based SSH Intrusion Detection System. User Manual. Rick Hofstede, Luuk Hendriks. University of Twente, The Netherlands

Limitations of Packet Measurement

Abstract /09/$25.00 c 2009 IEEE

How To Monitor Network Traffic On A Cell Phone

Network Security Monitoring and Behavior Analysis Best Practice Document

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Scalable Extraction, Aggregation, and Response to Network Intelligence

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Internet Traffic Trends A View from 67 ISPs

Traffic Monitoring : Experience

CAREN NOC MONITORING AND SECURITY

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

FLAB, Warden3 and friends

Chapter 11 Cloud Application Development

Campus Best Practices What s that?

Securing the system using honeypot in cloud computing environment

Use of Honeypots for Network Monitoring and Situational Awareness

The BELNET Vulnerability Scanner. TF-CSIRT Sept 2008, Vienna

Federated Threat Data Sharing with the Collective Intelligence Framework (CIF)

IPTV Traffic Monitoring System with IPFIX/PSAMP

Nemea: Searching for Botnet Footprints

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

PERDIX: A FRAMEWORK FOR REALTIME BEHAVIORAL EVALUATION OF SECURITY THREATS IN CLOUD COMPUTING ENVIRONMENT

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

The SCAMPI Scaleable Monitoring Platform for the Internet. Baiba Kaskina TERENA

Introduction to Network Monitoring and Management

IPv6 network management. Where and when?

IPv6 network management. 6DEPLOY. IPv6 Deployment and Support

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

Cheap and efficient anti-ddos solution

NetFlow-Lite offers network administrators and engineers the following capabilities:

Mauro Andreolini University of Modena Michele Colajanni. unimore.

A BRAINSTORMING ON SECURITY FIRE DRILLS

Community tools to fight against DDoS

Putting the Tools to Work DDOS Attack

Security Issues for Embedded Devices

Concept. Central Monitoring and IP Address Administration

Web Traffic Capture Butler Street, Suite 200 Pittsburgh, PA (412)

Flow Based Traffic Analysis

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

Flow Analysis Versus Packet Analysis. What Should You Choose?

An overview of traffic analysis using NetFlow

Analysis of Network Beaconing Activity for Incident Response

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Tk20 Network Infrastructure

Towards Real-Time Intrusion Detection for NetFlow and IPFIX

Application Latency Monitoring using nprobe

DDoS Mitigation Strategies

STABLE & SECURE BANK lab writeup. Page 1 of 21

NetFlow: what happens in your network?

Details. Some details on the core concepts:

TELCO challenge: Learning and managing the network behavior

Log Management with Open-Source Tools. Risto Vaarandi rvaarandi 4T Y4H00 D0T C0M

Web Analytics Understand your web visitors without web logs or page tags and keep all your data inside your firewall.

}w!"#$%&'()+,-./012345<ya

Practical Experience with IPFIX Flow Collectors

PRACTICAL EXPERIENCES BUILDING AN IPFIX BASED OPEN SOURCE BOTNET DETECTOR. ` Mark Graham

Volume 2, Issue 3, March 2014 International Journal of Advance Research in Computer Science and Management Studies

How To Identify Different Operating Systems From A Set Of Network Flows

Detection of DNS Traffic Anomalies in Large Networks

NetFlow: What is it, why and how to use it? Miloš Zeković, ICmyNet Chief Customer Officer Soneco d.o.o.

CARENET-SE. NOC Tools Review. Communication System Design Summer Project team. Champion Björn Pehrson Coach Hans Eriksson

DDOS Mi'ga'on in RedIRIS. SIG- ISM. Vienna

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

IRENE. Intelligence between POS terminal and authorization system. Gateway. Increased security, availability and transparency.

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Pwning Intranets with HTML5

Implementing Cisco IOS Network Security

Four Top Emagined Security Services

Internet Management and Measurements Measurements

Transcription:

Network security monitoring working group Jan Vykopal 39th TF-CSIRT meeting, Bucharest, Romania May 24, 2013

Recapitulation September 2012 at the Ljubljana meeting: several teams interested in sharing and discussing methods and tools as a new TF-CSIRT activity May 2013 in tf-csirt@terena.org: several teams still interested Now: discuss goals and format of the working group demo presentation of CSIRT-MU infrastructure, used and developed tools and needs May 24, 2013 39th TF-CSIRT meeting, Bucharest, Romania 2

Proposal Share best practices Inform about new tools Platform for closer cooperation Short updates by several teams (like Draw of Seven?) Collocated with TF-CSIRT meetings Keep it informal May 24, 2013 39th TF-CSIRT meeting, Bucharest, Romania 3

CSIRT-MU Team of Masaryk University, located in Brno, Czech Republic Constituency: > 40 000 students, > 4 000 staff ~ 20 000 hosts online every day Four key services: Incident handling Intrusion detection (incl. R&D) Alerts&warnings, announcements Education and training May 24, 2013 39th TF-CSIRT meeting, Bucharest, Romania 4

Monitoring infrastructure Based on NetFlow monitoring by stand-alone probes (no routers) Two 10 GE probes at uplinks to NREN (CESNET) ~ 20 1 and 10 GE probes within the network (incl. honeypots) Probes connected by TAP (Test access ports) Several NfSen collectors (production, development, for students) ~5 kflows/s, 300 Mflows/day In-house detection tools and plugins for NfSen (Perl, BASH) Monitored by Nagios Low- and high-interaction honeypots Honeyd and virtual machines (collect attempted passwords) Access to sendmail logs Mitigation using Remotely Triggered Black Hole filtering May 24, 2013 39th TF-CSIRT meeting, Bucharest, Romania 5

Developed and available tools NfSen plugins: RDPMonitor RDP brute-force attacks detection SSHMonitor SSH brute-force attacks detection Honeyscan honeynet monitoring plugin (feeds Team Cymru) Other tools: NfPlugger plugin template generator for NfSen PhiGARo for management and resolution of phishing incidents NetFlow and IPFIX Geolocation Tools Plugins for HTTP Monitoring IPFIX Export Plugin Available at http://www.muni.cz/ics/services/csirt/tools/ and http://www.muni.cz/ics/920232/web/ May 24, 2013 39th TF-CSIRT meeting, Bucharest, Romania 6

Ongoing work Analysis of flow time series (Holt-Winters prediction) Deploy HTTP monitoring for precise detection of replies to phishing e-mails Visualization IPv4 address space map, parallel coordinate plots DNS requests monitoring (IPFIX) Penetration testing based on NetFlow profiling May 24, 2013 39th TF-CSIRT meeting, Bucharest, Romania 7

Known tools SSHCure flow-based SSH IDS by University of Twente http://sourceforge.net/projects/sshcure/ IPFIXcol IPFIX flow data collector by CESNET https://www.liberouter.org/ipfixcol/ SURFmap visualizes a geographical dimension to network traffic using Google Maps API http://sourceforge.net/projects/surfmap/ Netflow-indexer indexes the flat file databases used by nfdump/flow-tools http://justinazoff.github.com/netflow-indexer/ Other tools are available at http://sourceforge.net/apps/trac/nfsen-plugins/ May 24, 2013 39th TF-CSIRT meeting, Bucharest, Romania 8

Possible cooperation We offer: anonymized flow samples for R&D testing of NfSen plugins and other tools in our network We would like to: test our tools in other networks know about your tools and be inspired by your research May 24, 2013 39th TF-CSIRT meeting, Bucharest, Romania 9

Back to working group What are your expectations and needs? Share best practices Inform about new tools Platform for closer cooperation What is your opinion on the proposed format? Short updates by several teams (like Draw of Seven?) Collocated with TF-CSIRT meetings Keep it informal May 24, 2013 39th TF-CSIRT meeting, Bucharest, Romania 10

Network security monitoring working group Jan Vykopal http://muni.cz/csirt vykopal@ics.muni.cz May 24, 2013 39th TF-CSIRT meeting, Bucharest, Romania 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information