analyst security skill risk: medium

NetFlow Security Anomaly Analyzer

Instructs on installing netflow, collecting and parsing NetFlow v9/IPFIX data, analyzing flows for port scanning, data exfiltration, C2 beaconing and volumetric anomalies, then gen…

External action: low

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: analyzing-network-flow-data-with-netflow
description: "Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing"
---
# Analyzing Network Flow Data with Netflow


## When to Use

- When investigating security incidents that require analyzing network flow data with netflow
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Familiarity with network security concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

1. Install dependencies: `pip install netflow`
2. Collect NetFlow/IPFIX data from routers or use the built-in collector: `python -m netflow.collector -p 9995`
3. Parse captured flow data using `netflow.parse_packet()`.
4. Analyze flows for:
   - Port scanning: single source to many destinations on same port
   - Data exfiltration: high byte-count outbound flows to unusual destinations
   - C2 beaconing: periodic connections with consistent intervals
   - Volumetric anomalies: traffic spikes beyond baseline thresholds
5. Generate a prioritized findings report.

```bash
python scripts/agent.py --flow-file captured_flows.json --output netflow_report.json
```

## Examples

### Parse NetFlow v9 Packet
```python
import netflow
data, _ = netflow.parse_packet(raw_bytes, templates={})
for flow in data.flows:
    print(flow.IPV4_SRC_ADDR, flow.IPV4_DST_ADDR, flow.IN_BYTES)
```

REQUIRED CONTEXT

NetFlow v9 or IPFIX flow data

OPTIONAL CONTEXT

Python environment
router collector access

EXPECTED OUTPUT

Format

markdown

Constraints

include prioritized findings report
follow numbered analysis steps

SUCCESS CRITERIA

Parse NetFlow/IPFIX data
Detect port scanning, data exfiltration, C2 beaconing and volumetric anomalies
Generate a prioritized findings report

EXAMPLES

Includes one example of parsing a NetFlow v9 packet using netflow.parse_packet().

CAVEATS

Dependencies

Familiarity with network security concepts and tools
Access to a test or lab environment
Python 3.8+ with required dependencies installed
Appropriate authorization for testing

Missing context

Exact output format or schema for the report
Definition of thresholds or heuristics for anomalies

Ambiguities

Does not specify desired output length or format for the 'prioritized findings report'.
'unusual destinations' and 'baseline thresholds' are undefined.

QUALITY

OVERALL: 0.72
CLARITY: 0.85
SPECIFICITY: 0.65
REUSABILITY: 0.60
COMPLETENESS: 0.70

IMPROVEMENT SUGGESTIONS

Add a required 'Output Format' section specifying JSON schema or report structure.
Replace vague phrases like 'unusual destinations' with explicit criteria or configurable parameters.

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.