You are previewing Applied Network Security Monitoring.
O'Reilly logo
Applied Network Security Monitoring

Book Description

Applied Network Security Monitoring is the essential guide to becoming an NSM analyst from the ground up. This book takes a fundamental approach to NSM, complete with dozens of real-world examples that teach you the key concepts of NSM.

Network security monitoring is based on the principle that prevention eventually fails. In the current threat landscape, no matter how much you try, motivated attackers will eventually find their way into your network. At that point, it is your ability to detect and respond to that intrusion that can be the difference between a small incident and a major disaster.

The book follows the three stages of the NSM cycle: collection, detection, and analysis. As you progress through each section, you will have access to insights from seasoned NSM professionals while being introduced to relevant, practical scenarios complete with sample data.

If you've never performed NSM analysis, Applied Network Security Monitoring will give you an adequate grasp on the core concepts needed to become an effective analyst. If you are already a practicing analyst, this book will allow you to grow your analytic technique to make you more effective at your job.



  • Discusses the proper methods for data collection, and teaches you how to become a skilled NSM analyst
  • Provides thorough hands-on coverage of Snort, Suricata, Bro-IDS, SiLK, and Argus
  • Loaded with practical examples containing real PCAP files you can replay, and uses Security Onion for all its lab examples
  • Companion website includes up-to-date blogs from the authors about the latest developments in NSM

Table of Contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. Acknowledgements
  7. About the Authors
    1. Chris Sanders, Lead Author
    2. Jason Smith, Co-Author
    3. David J. Bianco, Contributing Author
    4. Liam Randall, Contributing Author
  8. Foreword
  9. Preface
    1. Audience
    2. Prerequisites
    3. Concepts and Approach
    4. IP Address Disclaimer
    5. Companion Website
    6. Charitable Support
    7. Contacting Us
  10. Chapter 1. The Practice of Applied Network Security Monitoring
    1. Abstract
    2. Key NSM Terms
    3. Intrusion Detection
    4. Network Security Monitoring
    5. Vulnerability-Centric vs. Threat-Centric Defense
    6. The NSM Cycle: Collection, Detection, and Analysis
    7. Challenges to NSM
    8. Defining the Analyst
    9. Security Onion
    10. Conclusion
  11. Section 1: Collection
    1. Chapter 2. Planning Data Collection
      1. Abstract
      2. The Applied Collection Framework (ACF)
      3. Case Scenario: Online Retailer
      4. Conclusion
    2. Chapter 3. The Sensor Platform
      1. Abstract
      2. NSM Data Types
      3. Sensor Type
      4. Sensor Hardware
      5. Sensor Operating System
      6. Sensor Placement
      7. Securing the Sensor
      8. Conclusion
    3. Chapter 4. Session Data
      1. Abstract
      2. Flow Records
      3. Collecting Session Data
      4. Collecting and Analyzing Flow Data with SiLK
      5. Collecting and Analyzing Flow Data with Argus
      6. Session Data Storage Considerations
      7. Conclusion
    4. Chapter 5. Full Packet Capture Data
      1. Abstract
      2. Dumpcap
      3. Daemonlogger
      4. Netsniff-NG
      5. Choosing the Right FPC Collection Tool
      6. Planning for FPC Collection
      7. Decreasing the FPC Data Storage Burden
      8. Managing FPC Data Retention
      9. Conclusion
    5. Chapter 6. Packet String Data
      1. Abstract
      2. Defining Packet String Data
      3. PSTR Data Collection
      4. Viewing PSTR Data
      5. Conclusion
  12. Section 2: Detection
    1. Chapter 7. Detection Mechanisms, Indicators of Compromise, and Signatures
      1. Abstract
      2. Detection Mechanisms
      3. Indicators of Compromise and Signatures
      4. Managing Indicators and Signatures
      5. Indicator and Signature Frameworks
      6. Conclusion
    2. Chapter 8. Reputation-Based Detection
      1. Abstract
      2. Public Reputation Lists
      3. Automating Reputation-Based Detection
      4. Conclusion
    3. Chapter 9. Signature-Based Detection with Snort and Suricata
      1. Abstract
      2. Snort
      3. Suricata
      4. Changing IDS Engines in Security Onion
      5. Initializing Snort and Suricata for Intrusion Detection
      6. Configuring Snort and Suricata
      7. IDS Rules
      8. Viewing Snort and Suricata Alerts
      9. Conclusion
    4. Chapter 10. The Bro Platform
      1. Abstract
      2. Basic Bro Concepts
      3. Running Bro
      4. Bro Logs
      5. Creating Custom Detection Tools with Bro
      6. Conclusion
    5. Chapter 11. Anomaly-Based Detection with Statistical Data
      1. Abstract
      2. Top Talkers with SiLK
      3. Service Discovery with SiLK
      4. Furthering Detection with Statistics
      5. Visualizing Statistics with Gnuplot
      6. Visualizing Statistics with Google Charts
      7. Visualizing Statistics with Afterglow
      8. Conclusion
    6. Chapter 12. Using Canary Honeypots for Detection
      1. Abstract
      2. Canary Honeypots
      3. Types of Honeypots
      4. Canary Honeypot Architecture
      5. Honeypot Platforms
      6. Conclusion
  13. Section 3: Analysis
    1. Chapter 13. Packet Analysis
      1. Abstract
      2. Enter the Packet
      3. Packet Math
      4. Dissecting Packets
      5. Tcpdump for NSM Analysis
      6. TShark for Packet Analysis
      7. Wireshark for NSM Analysis
      8. Packet Filtering
      9. Conclusion
    2. Chapter 14. Friendly and Threat Intelligence
      1. Abstract
      2. The Intelligence Cycle for NSM
      3. Generating Friendly Intelligence
      4. Generating Threat Intelligence
      5. Conclusion
    3. Chapter 15. The Analysis Process
      1. Abstract
      2. Analysis Methods
      3. Analysis Best Practices
      4. Incident Morbidity and Mortality
      5. Conclusion
  14. Appendix 1. Security Onion Control Scripts
    1. High Level Commands
    2. Server Control Commands
    3. Sensor Control Commands
  15. Appendix 2. Important Security Onion Files and Directories
    1. Application Directories and Configuration Files
    2. Sensor Data Directories
  16. Appendix 3. Packet Headers
  17. Appendix 4. Decimal / Hex / ASCII Conversion Chart
  18. Index