The OSU Flow-tools Package and Cisco NetFlow Logs
Steve Romig - Ohio State University
Mar 21, 2001
AbstractMany Cisco routers and switches support NetFlow services which provides a detailed source of data about network traffic. The Office of Information Technology Enterprise Networking Services group (OIT/ENS) at The Ohio State University (OSU) has written a suite of tools called flow-tools to record, filter, print and analyze flow logs derived from exports of NetFlow accounting records. We use the flow logs for general network planning, performance monitoring, usage based billing, and many security related tasks including incident response and intrusion detection. I'll describe in more detail what the flow logs contain, the tools we have written to store and process these logs, and I'll discuss how we have used the logs and the tools to perform network management and security functions at OSU. I will also discuss some related projects and our future plans.
As an added bonus, I'll also give a demo of a quake session that was reconstructed from a tcpdump log from an investigation 4 years ago...don't miss it!
About the SpeakerSteve Romig in charge of the Ohio State University Incident Response Team, which provides incident response assistance, training, consulting, and security auditing service for The Ohio State University community. He is also working with a group of people from Central Ohio businesses to improve internet security response and practices in the Ohio area. Steve received his Bachelor\'s degree in Math (Computer Science Track) from Carnegie Mellon University in 1983. In years past Steve has worked as lead UNIX system administrator at one site with 40,000 users and 12 hosts and another site with 3,000 users and over 500 hosts. You can reach him by phone at 1-614-688-3412 (we\'re in GMT-0400/0500, I\'m generally in the office \"for sure\" between 10 AM and 6 PM) or by email at email@example.com.
Most recently Steve has been working on tools to make it easier to investigate network related evidence of computer security incidents, such as the Review package for viewing the contents of tcpdump logs, and the Netflow package from Mark Fullmer for looking at Cisco net flow logs.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.