Joe McManus

Learn how to automate and visualize packet data using Python.

With large enterprise investigations packet capture does not scale well. Beyond issues of personally identifiable information (PII) packet capture suffers from storage and analysis problems. NetFlow data is a solution to this problem. Requiring only 3% of the storage space of pcap data NetFlow can be collected and stored for incident analysis. NetFlow analysis increases situational awareness with a no/low cost deployment.

Common network hardware supports NetFlow or IPFIX flow data… Show more

With large enterprise investigations packet capture does not scale well. Beyond issues of personally identifiable information (PII) packet capture suffers from storage and analysis problems. NetFlow data is a solution to this problem. Requiring only 3% of the storage space of pcap data NetFlow can be collected and stored for incident analysis. NetFlow analysis increases situational awareness with a no/low cost deployment.

Common network hardware supports NetFlow or IPFIX flow data export and open source tools can be used for analysis. In this session we will go over the installation and common analysis techniques from real world investigations .
Show less

Automated tools have their place in a security professionals tool box. However advanced web applications often return false negatives using these tools. By using python and scapy we can perform advanced testing and repeatable automated monitoring.

The Log Analysis Tool Kit (LATK) version is a collection of command line and web-based tools for use in incident response and long-term analysis of web server and proxy server log data. LATK can detect beaconing traffic in proxy logs and SQL injection, and XSS attempts in web server logs. Often when responding to a security incident, the only files available are web server and proxy server logs. LATK will aid you in detecting odd traffic, such as botnet beaconing and SQL injection attempts. The… Show more

The Log Analysis Tool Kit (LATK) version is a collection of command line and web-based tools for use in incident response and long-term analysis of web server and proxy server log data. LATK can detect beaconing traffic in proxy logs and SQL injection, and XSS attempts in web server logs. Often when responding to a security incident, the only files available are web server and proxy server logs. LATK will aid you in detecting odd traffic, such as botnet beaconing and SQL injection attempts. The data available in these files can be overwhelming, but the tools in LATK can be used to parse these files and build a MySQL database for querying. Show less

NetFlow is an amazing open source technology. However design and deployment of the systems can be cumbersome. This talk at FloCon went over deployment issue and steps involved.