Scribd
Upload
9 views15 pages

Flows Slides

The document provides an overview of network flows, defining them as records of network activity that capture specific traffic details without full packet inspection. It discusses flow properties, collection types, and the importance of raw flows in identifying tunneling and other network activities. Additionally, it includes a demo on investigating a port-scan attack using QRadar's features.

Uploaded by

jidis55182
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
9 views15 pages

Flows Slides

The document provides an overview of network flows, defining them as records of network activity that capture specific traffic details without full packet inspection. It discusses flow properties, collection types, and the importance of raw flows in identifying tunneling and other network activities. Additionally, it includes a demo on investigating a port-scan attack using QRadar's features.

Uploaded by

jidis55182
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Flows

Ricardo Reimao, OSCP, CISSP


Cybersecurity Consultant
The ultimate source of truth
Module Overview Understand the basic concepts around
flows
What are the main flow properties
Demo: Investigating a port-scan attack
using the QRadar search features
What Is a Flow?

“A record of network activity that can last for


seconds, minutes, hours or days.”
- Details of a specific traffic
- Not full packet inspection, but keep the
initial packets
Examples of a flow:
- A user requesting a website
- A user streaming a movie
- An authentication request to a remote
SSH server
What Is In a Flow?

Source and
Ports Protocol
Destination

Flow Size Timestamp Partial Data


Flow Collection Types

Network Listening Flow Information Forwarding


Raw flow received by QRadar Flows are generated by a network device
and forwarded to QRadar
Information is normalized
QRadar parses/normalizes the flow
Initial packets captured
Information is stored
Information is stored

Examples: Examples:
Network Taps Netflow
Span Ports Jflow
Sflow
Importance of Raw Flows

Contains the original information transmitted


May contain details of the traffic
- URLs, usernames, etc.

Can be used to identify tunneling


- Using one protocol to transmit other
information
• Example: Using the HTTP protocol to
access a SSH server
Flow Properties
Timestamps

Storage Time
First Packet Time Last Packet Time

Time the flow was


Time the flow started Time the flow finished processed and
stored on disk
[[PLACEHOLDER FOR QUICK DEMO SHOWING
THE FLOW SCREEN AND FLOW DETAILS]]
Flow Search and Visualization
Port Scan
[[PLACEHOLDER FOR DEMO
Show everything in the flow tab:
- Scenario: Identifying a port-scan attack
- Real Time View
- Time Filters
- Quick Filters
- Other Filters
- Right Click functionalities and plugins
- Searching an event
- Advanced Search
- Saving a Search
- Exporting search results (Export formats, raw and
normalized)]]
Summary What a flow is and what it contains
The main collection types
Several demos
- Network tab overview and port scan
investigation
Next up:
Offenses

You might also like