Network Profiling Using Flow
• Technical Report
Publisher
Software Engineering Institute
CMU/SEI Report Number
CMU/SEI-2012-TR-006Topic or Tag
Abstract
This report provides a step-by-step guide for profiling—discovering public-facing assets on a network—using network flow (netflow) data. Netflow data can be used for forensic purposes, for finding malicious activity, and for determining appropriate prioritization settings. The goal of this report is to create a profile to see a potential attacker’s view of an external network. Readers will learn how to choose a data set, find the top assets and services with the most traffic on the network, and profile several services. A case study provides an example of the profiling process. The underlying concepts of using netflow data are presented so that readers can apply the approach to other cases. A reader using this report to profile a network can expect to end with a list of public-facing assets and the ports on which each is communicating and may also learn other pertinent information, such as external IP addresses, to which the asset is connecting. This report also provides ideas for using, maintaining, and reporting on findings. The appendices include an example profile and scripts for running the commands in the report. The scripts are a summary only and cannot replace reading and understanding this report.
Listen to the podcast from CERT's Podcast Series about this report.
Cite This Technical Report
Whisnant, A., & Faber, S. (2012, August 1). Network Profiling Using Flow. (Technical Report CMU/SEI-2012-TR-006). Retrieved November 24, 2024, from https://insights.sei.cmu.edu/library/network-profiling-using-flow/.
@techreport{whisnant_2012,
author={Whisnant, Austin and Faber, Sid},
title={Network Profiling Using Flow},
month={{Aug},
year={{2012},
number={{CMU/SEI-2012-TR-006},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://insights.sei.cmu.edu/library/network-profiling-using-flow/},
note={Accessed: 2024-Nov-24}
}
Whisnant, Austin, and Sid Faber. "Network Profiling Using Flow." (CMU/SEI-2012-TR-006). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, August 1, 2012. https://insights.sei.cmu.edu/library/network-profiling-using-flow/.
A. Whisnant, and S. Faber, "Network Profiling Using Flow," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Report CMU/SEI-2012-TR-006, 1-Aug-2012 [Online]. Available: https://insights.sei.cmu.edu/library/network-profiling-using-flow/. [Accessed: 24-Nov-2024].
Whisnant, Austin, and Sid Faber. "Network Profiling Using Flow." (Technical Report CMU/SEI-2012-TR-006). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Aug. 2012. https://insights.sei.cmu.edu/library/network-profiling-using-flow/. Accessed 24 Nov. 2024.
Whisnant, Austin; & Faber, Sid. Network Profiling Using Flow. CMU/SEI-2012-TR-006. Software Engineering Institute. 2012. https://insights.sei.cmu.edu/library/network-profiling-using-flow/