4 posts categorized "Metadata" Feed

A real business need for network traffic analysis: File activity monitoring (by Darragh Delaney)

A real business need for network traffic analysis: File activity monitoring

For many people network traffic analysis is seen as a troubleshooting tool, something for the packet experts who spend their time in Wireshark. However, network packets are an excellent source of user and application metadata.

Metadata can be defined as the human readable portions of the network packets. Filenames, web domains, SQL queries, and IP addresses are examples. While you can extract this metadata using tools like Wireshark, it can be a struggle if you are aiming to capture traffic just by packets.


Server Messaging block (SMB) and Network File System (NFS) are two most popular protocols for accessing files and folders on network shares. SMB is typically used on networks with Windows clients and NFS is typically used by non-Windows operating systems, such as Linux. While SMB can support encryption, most implementations are not configured to use this.

Are log files enough?

It is possible to enable file activity auditing on a Windows fileserver. However, you must specify what folders to monitor and it will generate thousands of events and so is not scaleable.  The data from these logs could be fed into a SIEM. SIEMs also have limitations, starting with the fact they are only as good as the log events being fed. If the log records are incomplete or someone disables logging, then you lose your audit trail.

A common issue I come across is systems such as NAS servers do not have native logging options. They are designed to serve up large quantities of files and folders securely. Auditing and logging can slow these systems down which means most will not have auditing capabilities.

Log files will also miss security type information such as clients using SMBv1 or the ability to generate an alert if a client suddenly started to rename large numbers of files. This can be the sign of Ransomware activity.

Capturing SMB or NFS metadata from network traffic


Continue reading "A real business need for network traffic analysis: File activity monitoring (by Darragh Delaney)" »

How to easily detect SMBv1 scanning by using your traffic! ( by John Bronson)

How to easily detect SMBv1 scanning by using traffic visibility?

SMB Exploitation is an easy way to take control of a Network! - Read how to easily see this attack method!

NetFort has always believed in the visibility that can be extracted from wire data, basic network traffic analysis or deep packet inspection. Every device, user, and application on the network leaves a trail, always. No need to turn it ON, this vendor agnostic trail can easily be captured on any network and used for many security and operational use cases. Look at Wireshark and how strong the community is, it continues to grow from strength to strength. Of course, one of the main reasons is that all the people involved are passionate about network data traffic and really care about what they do. 

The traffic analysis engine should do as much of the heavy lifting as possible, to initially present it at a high level so one can see anomalies, make the network traffic data easier to store, query, search, read, analyse, correlate, and act on. This is what we help our customers do with traffic at NetFort. 

One of our core building blocks is the ability to generate metadata for easy visibility!

Building blocks to Metadata

We have a number of application ‘decoders’, stateful followers that generate application specific metadata.  The complexity of the decoder depends on the application, some for example including SMB and NFS are not trivial.

Fingerprinting, reassembly, metadata extraction and storage, all in real time is not easy. We have worked hard on these to get them reliable and to perform at scale. But, as a result, we now have a robust scalable unique engine ideal for many use cases proven on many diverse customer networks. The decoders have also helped us grow because they help organisations of all sizes (including central and local government, utilities, legal, education and the military) address various vulnerabilities including those found in implementations of Server Message Block 1.0. Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.

Read more on "How to detect SMB exploitation!" - 

Continue reading "How to easily detect SMBv1 scanning by using your traffic! ( by John Bronson)" »

Metadata - We all need it now! (by Darragh Delaney)

Metadata – we all need it now!

Not so long ago, flow analysis was one of the tools of choice when it came to troubleshooting security or operational problems on networks. Many vendors developed tools which could take these flow records and store them in a data base, so that you could get real-time and historical reports.

However, metadata analysis is now seen as the must have pieces of technology for keeping modern networks running both securely and efficiently. Metadata analysis systems typically use network traffic or packets as a data source. You can typically source these via SPAN, mirror ports or TAPs. The clever part of metadata analysis involves data reduction. This is where you take raw network traffic and capture interesting pieces of data like IP addresses, website names or filenames. In some instances, you end up with a 4000:1 compression ratio. For example, if I transfer a 4MB file across the network, I may capture 1KB of metadata.

See your network

The screen shot below from our own (NetFort) LANGuardian system is a good example of this data reduction.


Continue reading "Metadata - We all need it now! (by Darragh Delaney)" »

Harvesting Metadata From Network Traffic (by Darragh Delaney)

Harvesting Metadata From Network Traffic

Every day I work on all sorts of modern and cutting edge technologies and I love learning about new stuff. I think I can trace this back to growing up on a farm, there was always something to fix or take apart. In spite of the perception that some people have of the agricultural sector, today's farms rely on huge amounts of technology and data analytics. Here in Ireland the harvest season has come to an end and we are all getting ready for the cooler temperatures of autumn.


Harvest machinery has been serviced and parked up for another year including one of my favorites, the combine harvester. I spend hours on YouTube learning about the latest models and what goes on behind the scenes. For centuries they have been a vital cog in the global food chain. The theory behind them is simple, gather raw material up front and pass it through different filters and separators which allows us to extract the valuable grain which we can then use. The basics have remained the same over the years but the size of the machines has increased as we demand more efficiency and larger harvests.

But how, you may ask how is this combine machine connected to metadata and network traffic?

Continue reading "Harvesting Metadata From Network Traffic (by Darragh Delaney)" »