3 posts categorized "Metadata" Feed

How to easily detect SMBv1 scanning by using your traffic! ( by John Bronson)

How to easily detect SMBv1 scanning by using traffic visibility?

SMB Exploitation is an easy way to take control of a Network! - Read how to easily see this attack method!

NetFort has always believed in the visibility that can be extracted from wire data, basic network traffic analysis or deep packet inspection. Every device, user, and application on the network leaves a trail, always. No need to turn it ON, this vendor agnostic trail can easily be captured on any network and used for many security and operational use cases. Look at Wireshark and how strong the community is, it continues to grow from strength to strength. Of course, one of the main reasons is that all the people involved are passionate about network data traffic and really care about what they do. 

The traffic analysis engine should do as much of the heavy lifting as possible, to initially present it at a high level so one can see anomalies, make the network traffic data easier to store, query, search, read, analyse, correlate, and act on. This is what we help our customers do with traffic at NetFort. 

One of our core building blocks is the ability to generate metadata for easy visibility!

Building blocks to Metadata

We have a number of application ‘decoders’, stateful followers that generate application specific metadata.  The complexity of the decoder depends on the application, some for example including SMB and NFS are not trivial.

Fingerprinting, reassembly, metadata extraction and storage, all in real time is not easy. We have worked hard on these to get them reliable and to perform at scale. But, as a result, we now have a robust scalable unique engine ideal for many use cases proven on many diverse customer networks. The decoders have also helped us grow because they help organisations of all sizes (including central and local government, utilities, legal, education and the military) address various vulnerabilities including those found in implementations of Server Message Block 1.0. Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.

Read more on "How to detect SMB exploitation!" - 

Continue reading "How to easily detect SMBv1 scanning by using your traffic! ( by John Bronson)" »

Metadata - We all need it now! (by Darragh Delaney)

Metadata – we all need it now!

Not so long ago, flow analysis was one of the tools of choice when it came to troubleshooting security or operational problems on networks. Many vendors developed tools which could take these flow records and store them in a data base, so that you could get real-time and historical reports.

However, metadata analysis is now seen as the must have pieces of technology for keeping modern networks running both securely and efficiently. Metadata analysis systems typically use network traffic or packets as a data source. You can typically source these via SPAN, mirror ports or TAPs. The clever part of metadata analysis involves data reduction. This is where you take raw network traffic and capture interesting pieces of data like IP addresses, website names or filenames. In some instances, you end up with a 4000:1 compression ratio. For example, if I transfer a 4MB file across the network, I may capture 1KB of metadata.

See your network

The screen shot below from our own (NetFort) LANGuardian system is a good example of this data reduction.


Continue reading "Metadata - We all need it now! (by Darragh Delaney)" »

Harvesting Metadata From Network Traffic (by Darragh Delaney)

Harvesting Metadata From Network Traffic

Every day I work on all sorts of modern and cutting edge technologies and I love learning about new stuff. I think I can trace this back to growing up on a farm, there was always something to fix or take apart. In spite of the perception that some people have of the agricultural sector, today's farms rely on huge amounts of technology and data analytics. Here in Ireland the harvest season has come to an end and we are all getting ready for the cooler temperatures of autumn.


Harvest machinery has been serviced and parked up for another year including one of my favorites, the combine harvester. I spend hours on YouTube learning about the latest models and what goes on behind the scenes. For centuries they have been a vital cog in the global food chain. The theory behind them is simple, gather raw material up front and pass it through different filters and separators which allows us to extract the valuable grain which we can then use. The basics have remained the same over the years but the size of the machines has increased as we demand more efficiency and larger harvests.

But how, you may ask how is this combine machine connected to metadata and network traffic?

Continue reading "Harvesting Metadata From Network Traffic (by Darragh Delaney)" »