SlideShare a Scribd company logo

Tim eberhard bajug3_talk

Download as PPT, PDF
Tim Eberhard
Tim Eberhard
Technology
1 of 19
Traffic Analysis on Juniper SRX’s Tim Eberhard BAJUG3
So we have a lot of traffic on our network. Now what?
Live Session Table Four main ways to look at traffic data on an SRX. Policy Logs Jflow Packet Captures
Policy Logs
Policy logs- ▪ Typically sent to an external syslog server ▪ Lots and lots of tools to collect syslogs ▪ Easy to parse and easy to read When does it make sense to use them? ▪ Historical analysis ▪ Policy denies ▪ High level overview over long periods of time ▪ Monitoring for unused rules Dec 6 13:10:49 SRX220 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.183.1.1/16138->10.194.201.112/9100 None 10.183.1.1/16138->192.168.168.12/9100 None vpn_printer 6 default-permit vpn trust 60756 N/A(N/A) st0.0 Jan 7 12:07:05 SRX5800 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.1.1.100/53906->172.31.100.60/21 junos-ftp 6(0) web_deny trust web-dmz Dec 6 13:11:20 SRX220RGA RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 10.183.1.1/16138- >10.194.201.112/9100 None 10.183.1.1/16138- >192.168.168.12/9100 None vpn_printer 6 default-permit vpn trust 60756 98(78354) 56(2986) 31 N/A(N/A) st0.0
Using STRM to Analyze top talkers for the last 7 days
If you don’t have the funding for something fancy like STRM, Splunk or my SRX session Analyzer can parse traffic logs. Caution: My log analyzer looks like shit compared to STRM
Live Session Table
Session Table- ▪ A real time table of current traffic loads ▪ Better filters on the SRX than previously available on the Netscreen When does it make sense to analyze? ▪ Real time analysis of events ▪ Top talkers, bandwidth hogs, etc. ▪ High level overview of current sessions
How do we parse the session table? You could use your unix sed, awk, uniq, grep foo..Or you could use the SRX Session Analyzer In 2006 I built a session analyzer for the netscreen. Poorly called NSSA (Netscreen Session Analyzer). The SRX session Analyzer is just that same idea created for the SRX platform. Free and open source posted on github. Written in python3. Filter top talkers by: -Source IP -Dest IP -Source/Dest port -Policies -Protocol, Interfaces -Packets, Bytes
Why Analyze the session table vs looking at policy logs? -Sessions that are persistent are not recorded to the policy logs. This means if a session is still open, you have a single log message about it. Session create. Until that session is close, you have no idea how much traffic it has passed or how long it has been up. Your session table could be completely different now vs yesterday. -It’s easy to parse when troubleshooting current loads takes just 5-10 minutes to download analyze. -Does not include drops or expired sessions. Real time useful data only.
Jflow
Jflow- ▪ IP traffic sampling ▪ Typically samples a ratio of packets. Not often deployed 1:1 ▪ Lots of great tools to parse and analyze When does it make sense to use Jflow? ▪ Historical analysis ▪ Analyzing traffic patterns ▪ Bandwidth usage ▪ Top talkers real time and historically
Looking back at Syslog. Here are the top talkers from syslog traffic logs…
Now looking at top talkers on that same network with Jflow. All of a sudden a single address stands out. Low session usage but high bandwidth usage.
We also have the ability to look at the network from an application layer. Ignoring that one bandwidth hog..
Packet Captures
Packet Captures- ▪ Only available on the branch SRX’s ▪ Will dump in pcap format ▪ Allows detailed look of packets passing through firewall. ▪ Extremely resource intensive When does it make sense to take a packet capture? ▪ Extremely rarely. Seriously, a last resort. ▪ Troubleshooting application layer ▪ Gathering packet details for IDP signatures
A quick and dirty example- Set up the packet capture in forwarding-options. [edit] user@host# edit forwarding-options packet-capture [edit forwarding-options packet-capture] user@host# set file filename mypacketcapture [edit forwarding-options packet-capture] user@host# set maximum-capture-size 1500 Set up a firewall filter to match the interesting traffic. [edit] user@host#set firewall filter dest-jnet term dest-term from destination-address 207.17.137.239/32 [edit] user@host#set firewall filter dest-jnet term dest-term then sample accept [edit] user@host#set firewall filter dest-jnet term default-permit then accept [edit] user@host#set interfaces ge-0/0/0 unit 0 family inet filter output dest-jnet Enable sampling on the interface. You can do input, output or both. [edit] user@host# edit interfaces ge-0/0/0 unit 0 family inet [edit interfaces ge-0/0/0 unit 0 family inet] user@host# set sampling input output Packet captures are stored in /var/tmp user@host> file list /var/tmp/ | match mypacketcapture* mypacketcapture.ge-0.0.0

Recommended

Passive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoHenry Stern
 
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...Ontico
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...APNIC
 
OpenTSDB: HBaseCon2017
OpenTSDB: HBaseCon2017OpenTSDB: HBaseCon2017
OpenTSDB: HBaseCon2017HBaseCon
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Google Spanner
Google SpannerGoogle Spanner
Google SpannerVaidas Brundza
 
Performance Lessons learned in vRouter - Stephen Hemminger
Performance Lessons learned in vRouter - Stephen HemmingerPerformance Lessons learned in vRouter - Stephen Hemminger
Performance Lessons learned in vRouter - Stephen Hemmingerharryvanhaaren
 

Recommended

Passive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoHenry Stern
 
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...Ontico
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...APNIC
 
OpenTSDB: HBaseCon2017
OpenTSDB: HBaseCon2017OpenTSDB: HBaseCon2017
OpenTSDB: HBaseCon2017HBaseCon
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Google Spanner
Google SpannerGoogle Spanner
Google SpannerVaidas Brundza
 
Performance Lessons learned in vRouter - Stephen Hemminger
Performance Lessons learned in vRouter - Stephen HemmingerPerformance Lessons learned in vRouter - Stephen Hemminger
Performance Lessons learned in vRouter - Stephen Hemmingerharryvanhaaren
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
OpenTSDB 2.0
OpenTSDB 2.0OpenTSDB 2.0
OpenTSDB 2.0HBaseCon
 
Debugging applications with network security tools
Debugging applications with network security toolsDebugging applications with network security tools
Debugging applications with network security toolsConFoo
 
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...Alexander Krizhanovsky
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformRedge Technologies
 
University of Oslo's TSD service - storing sensitive & restricted data by D...
University of Oslo's TSD service - storing sensitive & restricted data by D... University of Oslo's TSD service - storing sensitive & restricted data by D...
University of Oslo's TSD service - storing sensitive & restricted data by D...eurobsdcon
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesSam Bowne
 
Spanner osdi2012
Spanner osdi2012Spanner osdi2012
Spanner osdi2012Jose Maria Fuster
 
OpenTSDB for monitoring @ Criteo
OpenTSDB for monitoring @ CriteoOpenTSDB for monitoring @ Criteo
OpenTSDB for monitoring @ CriteoNathaniel Braun
 
Offloading TC Rules on OVS Internal Ports
Offloading TC Rules on OVS Internal Ports Offloading TC Rules on OVS Internal Ports
Offloading TC Rules on OVS Internal Ports Netronome
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
Dw tpain - Gordon Klok
Dw tpain - Gordon KlokDw tpain - Gordon Klok
Dw tpain - Gordon KlokDevopsdays
 
Ns2pre
Ns2preNs2pre
Ns2prePratik Joshi
 
Introduction to ns2
Introduction to ns2Introduction to ns2
Introduction to ns2Pradeep Kumar TS
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hackingnayakslideshare
 
Network Measurement with P4 and C on Netronome Agilio
Network Measurement with P4 and C on Netronome AgilioNetwork Measurement with P4 and C on Netronome Agilio
Network Measurement with P4 and C on Netronome AgilioOpen-NFP
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS SecurityNihal Pasham, CISSP
 
Face of Corporate Pakistan
Face of Corporate PakistanFace of Corporate Pakistan
Face of Corporate PakistanDaily 10 Minutes
 
Twin Greatest Leaders
Twin Greatest LeadersTwin Greatest Leaders
Twin Greatest LeadersDaily 10 Minutes
 

More Related Content

What's hot

CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
OpenTSDB 2.0
OpenTSDB 2.0OpenTSDB 2.0
OpenTSDB 2.0HBaseCon
 
Debugging applications with network security tools
Debugging applications with network security toolsDebugging applications with network security tools
Debugging applications with network security toolsConFoo
 
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...Alexander Krizhanovsky
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformRedge Technologies
 
University of Oslo's TSD service - storing sensitive & restricted data by D...
University of Oslo's TSD service - storing sensitive & restricted data by D... University of Oslo's TSD service - storing sensitive & restricted data by D...
University of Oslo's TSD service - storing sensitive & restricted data by D...eurobsdcon
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesSam Bowne
 
OpenTSDB for monitoring @ Criteo
OpenTSDB for monitoring @ CriteoOpenTSDB for monitoring @ Criteo
OpenTSDB for monitoring @ CriteoNathaniel Braun
 
Offloading TC Rules on OVS Internal Ports
Offloading TC Rules on OVS Internal Ports Offloading TC Rules on OVS Internal Ports
Offloading TC Rules on OVS Internal Ports Netronome
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
Dw tpain - Gordon Klok
Dw tpain - Gordon KlokDw tpain - Gordon Klok
Dw tpain - Gordon KlokDevopsdays
 
Network Measurement with P4 and C on Netronome Agilio
Network Measurement with P4 and C on Netronome AgilioNetwork Measurement with P4 and C on Netronome Agilio
Network Measurement with P4 and C on Netronome AgilioOpen-NFP
 

What's hot (20)

CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
OpenTSDB 2.0
OpenTSDB 2.0OpenTSDB 2.0
OpenTSDB 2.0
 
Debugging applications with network security tools
Debugging applications with network security toolsDebugging applications with network security tools
Debugging applications with network security tools
 
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
Tempesta FW: a FrameWork and FireWall for HTTP DDoS mitigation and Web Applic...
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platform
 
University of Oslo's TSD service - storing sensitive & restricted data by D...
University of Oslo's TSD service - storing sensitive & restricted data by D... University of Oslo's TSD service - storing sensitive & restricted data by D...
University of Oslo's TSD service - storing sensitive & restricted data by D...
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilities
 
Spanner osdi2012
Spanner osdi2012Spanner osdi2012
Spanner osdi2012
 
OpenTSDB for monitoring @ Criteo
OpenTSDB for monitoring @ CriteoOpenTSDB for monitoring @ Criteo
OpenTSDB for monitoring @ Criteo
 
Offloading TC Rules on OVS Internal Ports
Offloading TC Rules on OVS Internal Ports Offloading TC Rules on OVS Internal Ports
Offloading TC Rules on OVS Internal Ports
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
 
Dw tpain - Gordon Klok
Dw tpain - Gordon KlokDw tpain - Gordon Klok
Dw tpain - Gordon Klok
 
Ns2pre
Ns2preNs2pre
Ns2pre
 
Introduction to ns2
Introduction to ns2Introduction to ns2
Introduction to ns2
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
Network Measurement with P4 and C on Netronome Agilio
Network Measurement with P4 and C on Netronome AgilioNetwork Measurement with P4 and C on Netronome Agilio
Network Measurement with P4 and C on Netronome Agilio
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 

Viewers also liked

Face of Corporate Pakistan
Face of Corporate PakistanFace of Corporate Pakistan
Face of Corporate PakistanDaily 10 Minutes
 
Social Media Marketing Tools
Social Media Marketing ToolsSocial Media Marketing Tools
Social Media Marketing ToolsDaily 10 Minutes
 
Climate Development Strategy
Climate Development StrategyClimate Development Strategy
Climate Development StrategyDaily 10 Minutes
 
1st Honorary Consuls in Pakistan Conference
1st Honorary Consuls in Pakistan Conference1st Honorary Consuls in Pakistan Conference
1st Honorary Consuls in Pakistan ConferenceDaily 10 Minutes
 
International Day of Girl Child
International Day of Girl ChildInternational Day of Girl Child
International Day of Girl ChildDaily 10 Minutes
 
Environmental Science Versus 3 Idiots
Environmental Science Versus 3 IdiotsEnvironmental Science Versus 3 Idiots
Environmental Science Versus 3 IdiotsDaily 10 Minutes
 

Viewers also liked (19)

Face of Corporate Pakistan
Face of Corporate PakistanFace of Corporate Pakistan
Face of Corporate Pakistan
 
Twin Greatest Leaders
Twin Greatest LeadersTwin Greatest Leaders
Twin Greatest Leaders
 
Golden Silence
Golden SilenceGolden Silence
Golden Silence
 
Paths of Progress
Paths of Progress Paths of Progress
Paths of Progress
 
Micocemento. espacios
Micocemento. espaciosMicocemento. espacios
Micocemento. espacios
 
Morven - Brand Management
Morven - Brand ManagementMorven - Brand Management
Morven - Brand Management
 
New Jobs [Jan 2014]
New Jobs [Jan 2014]New Jobs [Jan 2014]
New Jobs [Jan 2014]
 
Hong Kong
Hong KongHong Kong
Hong Kong
 
Social Media Marketing Tools
Social Media Marketing ToolsSocial Media Marketing Tools
Social Media Marketing Tools
 
Mag Marketing
Mag MarketingMag Marketing
Mag Marketing
 
Nisar Ali Khan
Nisar Ali KhanNisar Ali Khan
Nisar Ali Khan
 
Pakistani Billionaires
Pakistani BillionairesPakistani Billionaires
Pakistani Billionaires
 
Climate Development Strategy
Climate Development StrategyClimate Development Strategy
Climate Development Strategy
 
Ganesh machinery
Ganesh machineryGanesh machinery
Ganesh machinery
 
Obama’s Team
Obama’s TeamObama’s Team
Obama’s Team
 
1st Honorary Consuls in Pakistan Conference
1st Honorary Consuls in Pakistan Conference1st Honorary Consuls in Pakistan Conference
1st Honorary Consuls in Pakistan Conference
 
Klako & China
Klako & ChinaKlako & China
Klako & China
 
International Day of Girl Child
International Day of Girl ChildInternational Day of Girl Child
International Day of Girl Child
 
Environmental Science Versus 3 Idiots
Environmental Science Versus 3 IdiotsEnvironmental Science Versus 3 Idiots
Environmental Science Versus 3 Idiots
 

Similar to Tim eberhard bajug3_talk

Low cost multi-sensor IDS system
Low cost multi-sensor IDS systemLow cost multi-sensor IDS system
Low cost multi-sensor IDS systemRobert Schrack
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
RedSplice_Network_Traffic_Examiner_Datasheet
RedSplice_Network_Traffic_Examiner_DatasheetRedSplice_Network_Traffic_Examiner_Datasheet
RedSplice_Network_Traffic_Examiner_DatasheetLaurentiu Nicula
 
Cisco Stealtwatch
Cisco StealtwatchCisco Stealtwatch
Cisco StealtwatchRayudu Babu
 
16aug06.ppt
16aug06.ppt16aug06.ppt
16aug06.pptzagreb2
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redactedRyan Breed
 
Flink Forward SF 2017: Srikanth Satya & Tom Kaitchuck - Pravega: Storage Rei...
Flink Forward SF 2017: Srikanth Satya & Tom Kaitchuck - Pravega: Storage Rei...Flink Forward SF 2017: Srikanth Satya & Tom Kaitchuck - Pravega: Storage Rei...
Flink Forward SF 2017: Srikanth Satya & Tom Kaitchuck - Pravega: Storage Rei...Flink Forward
 
Orion NTA Customer Training
Orion NTA Customer TrainingOrion NTA Customer Training
Orion NTA Customer TrainingSolarWinds
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2Zobair Khan
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsSysdig
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Oracle Trace File Analyzer - What's New in 12.2.1.1.0
Oracle Trace File Analyzer - What's New in 12.2.1.1.0Oracle Trace File Analyzer - What's New in 12.2.1.1.0
Oracle Trace File Analyzer - What's New in 12.2.1.1.0Gareth Chapman
 
WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202Timothy Spann
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 

Similar to Tim eberhard bajug3_talk (20)

Low cost multi-sensor IDS system
Low cost multi-sensor IDS systemLow cost multi-sensor IDS system
Low cost multi-sensor IDS system
 
hakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_ENhakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_EN
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 
RedSplice_Network_Traffic_Examiner_Datasheet
RedSplice_Network_Traffic_Examiner_DatasheetRedSplice_Network_Traffic_Examiner_Datasheet
RedSplice_Network_Traffic_Examiner_Datasheet
 
Flow Monitoring Tools, What do we have, What do we need?
Flow Monitoring Tools, What do we have, What do we need?Flow Monitoring Tools, What do we have, What do we need?
Flow Monitoring Tools, What do we have, What do we need?
 
Cisco Stealtwatch
Cisco StealtwatchCisco Stealtwatch
Cisco Stealtwatch
 
16aug06.ppt
16aug06.ppt16aug06.ppt
16aug06.ppt
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redacted
 
Flink Forward SF 2017: Srikanth Satya & Tom Kaitchuck - Pravega: Storage Rei...
Flink Forward SF 2017: Srikanth Satya & Tom Kaitchuck - Pravega: Storage Rei...Flink Forward SF 2017: Srikanth Satya & Tom Kaitchuck - Pravega: Storage Rei...
Flink Forward SF 2017: Srikanth Satya & Tom Kaitchuck - Pravega: Storage Rei...
 
Go with the flow
Go with the flowGo with the flow
Go with the flow
 
Orion NTA Customer Training
Orion NTA Customer TrainingOrion NTA Customer Training
Orion NTA Customer Training
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2
 
Go with the Flow
Go with the Flow Go with the Flow
Go with the Flow
 
F5 tcpdump
F5 tcpdumpF5 tcpdump
F5 tcpdump
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Oracle Trace File Analyzer - What's New in 12.2.1.1.0
Oracle Trace File Analyzer - What's New in 12.2.1.1.0Oracle Trace File Analyzer - What's New in 12.2.1.1.0
Oracle Trace File Analyzer - What's New in 12.2.1.1.0
 
WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Tim eberhard bajug3_talk

  • 1. Traffic Analysis on Juniper SRX’s Tim Eberhard BAJUG3
  • 2. So we have a lot of traffic on our network. Now what?
  • 3. Live Session Table Four main ways to look at traffic data on an SRX. Policy Logs Jflow Packet Captures
  • 5. Policy logs- ▪ Typically sent to an external syslog server ▪ Lots and lots of tools to collect syslogs ▪ Easy to parse and easy to read When does it make sense to use them? ▪ Historical analysis ▪ Policy denies ▪ High level overview over long periods of time ▪ Monitoring for unused rules Dec 6 13:10:49 SRX220 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.183.1.1/16138->10.194.201.112/9100 None 10.183.1.1/16138->192.168.168.12/9100 None vpn_printer 6 default-permit vpn trust 60756 N/A(N/A) st0.0 Jan 7 12:07:05 SRX5800 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.1.1.100/53906->172.31.100.60/21 junos-ftp 6(0) web_deny trust web-dmz Dec 6 13:11:20 SRX220RGA RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 10.183.1.1/16138- >10.194.201.112/9100 None 10.183.1.1/16138- >192.168.168.12/9100 None vpn_printer 6 default-permit vpn trust 60756 98(78354) 56(2986) 31 N/A(N/A) st0.0
  • 6. Using STRM to Analyze top talkers for the last 7 days
  • 7. If you don’t have the funding for something fancy like STRM, Splunk or my SRX session Analyzer can parse traffic logs. Caution: My log analyzer looks like shit compared to STRM
  • 9. Session Table- ▪ A real time table of current traffic loads ▪ Better filters on the SRX than previously available on the Netscreen When does it make sense to analyze? ▪ Real time analysis of events ▪ Top talkers, bandwidth hogs, etc. ▪ High level overview of current sessions
  • 10. How do we parse the session table? You could use your unix sed, awk, uniq, grep foo..Or you could use the SRX Session Analyzer In 2006 I built a session analyzer for the netscreen. Poorly called NSSA (Netscreen Session Analyzer). The SRX session Analyzer is just that same idea created for the SRX platform. Free and open source posted on github. Written in python3. Filter top talkers by: -Source IP -Dest IP -Source/Dest port -Policies -Protocol, Interfaces -Packets, Bytes
  • 11. Why Analyze the session table vs looking at policy logs? -Sessions that are persistent are not recorded to the policy logs. This means if a session is still open, you have a single log message about it. Session create. Until that session is close, you have no idea how much traffic it has passed or how long it has been up. Your session table could be completely different now vs yesterday. -It’s easy to parse when troubleshooting current loads takes just 5-10 minutes to download analyze. -Does not include drops or expired sessions. Real time useful data only.
  • 12. Jflow
  • 13. Jflow- ▪ IP traffic sampling ▪ Typically samples a ratio of packets. Not often deployed 1:1 ▪ Lots of great tools to parse and analyze When does it make sense to use Jflow? ▪ Historical analysis ▪ Analyzing traffic patterns ▪ Bandwidth usage ▪ Top talkers real time and historically
  • 14. Looking back at Syslog. Here are the top talkers from syslog traffic logs…
  • 15. Now looking at top talkers on that same network with Jflow. All of a sudden a single address stands out. Low session usage but high bandwidth usage.
  • 16. We also have the ability to look at the network from an application layer. Ignoring that one bandwidth hog..
  • 18. Packet Captures- ▪ Only available on the branch SRX’s ▪ Will dump in pcap format ▪ Allows detailed look of packets passing through firewall. ▪ Extremely resource intensive When does it make sense to take a packet capture? ▪ Extremely rarely. Seriously, a last resort. ▪ Troubleshooting application layer ▪ Gathering packet details for IDP signatures
  • 19. A quick and dirty example- Set up the packet capture in forwarding-options. [edit] user@host# edit forwarding-options packet-capture [edit forwarding-options packet-capture] user@host# set file filename mypacketcapture [edit forwarding-options packet-capture] user@host# set maximum-capture-size 1500 Set up a firewall filter to match the interesting traffic. [edit] user@host#set firewall filter dest-jnet term dest-term from destination-address 207.17.137.239/32 [edit] user@host#set firewall filter dest-jnet term dest-term then sample accept [edit] user@host#set firewall filter dest-jnet term default-permit then accept [edit] user@host#set interfaces ge-0/0/0 unit 0 family inet filter output dest-jnet Enable sampling on the interface. You can do input, output or both. [edit] user@host# edit interfaces ge-0/0/0 unit 0 family inet [edit interfaces ge-0/0/0 unit 0 family inet] user@host# set sampling input output Packet captures are stored in /var/tmp user@host> file list /var/tmp/ | match mypacketcapture* mypacketcapture.ge-0.0.0