Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
The Practice of Network Security Monitoring
Dedication
Foreword
Preface
Audience
Prerequisites
A Note on Software and Protocols
Scope
Acknowledgments
Disclaimer
I. Getting Started
1. Network Security Monitoring Rationale
An Introduction to NSM
Does NSM Prevent Intrusions?
What Is the Difference Between NSM and Continuous Monitoring?
How Does NSM Compare with Other Approaches?
Why Does NSM Work?
How NSM Is Set Up
Installing a Tap
When NSM Won’t Work
Is NSM Legal?
How Can You Protect User Privacy During NSM Operations?
A Sample NSM Test
The Range of NSM Data
Full Content Data
Reviewing a Data Summary
Inspecting Packets
Using a Graphical Tool to View the Traffic
Extracted Content Data
Session Data
Transaction Data
Statistical Data
Metadata
Alert Data
What’s the Point of All This Data?
NSM Drawbacks
Where Can I Buy NSM?
Where Can I Go for Support or More Information?
Conclusion
2. Collecting Network Traffic: Access, Storage, and Management
A Sample Network for a Pilot NSM System
Traffic Flow in a Simple Network
Possible Locations for NSM
IP Addresses and Network Address Translation
Net Blocks
IP Address Assignments
Address Translation
Network Address Translation
Address Translation in Wireless and Internal Networks
Choosing the Best Place to Obtain Network Visibility
Location for DMZ Network Traffic
Locations for Viewing the Wireless and Internal Network Traffic
Getting Physical Access to the Traffic
Using Switches for Traffic Monitoring
Using a Network Tap
Capturing Traffic Directly on a Client or Server
Choosing an NSM Platform
Ten NSM Platform Management Recommendations
Conclusion
II. Security Onion Deployment
3. Stand-alone NSM Deployment and Installation
Stand-alone or Server Plus Sensors?
Choosing How to Get SO Code onto Hardware
Installing a Stand-alone System
Installing SO to a Hard Drive
Configuring SO Software
Choosing the Management Interface
Installing the NSM Software Components
Checking Your Installation
Conclusion
4. Distributed Deployment
Installing an SO Server Using the SO .iso Image
SO Server Considerations
Building Your SO Server
Configuring Your SO Server
Installing an SO Sensor Using the SO .iso Image
Configuring the SO Sensor
Completing Setup
Verifying that the Sensors Are Working
Verifying that the Autossh Tunnel Is Working
Building an SO Server Using PPAs
Installing Ubuntu Server as the SO Server Operating System
Choosing a Static IP Address
Updating the Software
Beginning MySQL and PPA Setup on the SO Server
Configuring Your SO Server via PPA
Building an SO Sensor Using PPAs
Installing Ubuntu Server as the SO Sensor Operating System
Configuring the System as a Sensor
Running the Setup Wizard
Conclusion
5. SO Platform Housekeeping
Keeping SO Up-to-Date
Updating via the GUI
Updating via the Command Line
Limiting Access to SO
Connecting via a SOCKS Proxy
Changing the Firewall Policy
Managing SO Data Storage
Managing Sensor Storage
Checking Database Drive Usage
Managing the Sguil Database
Tracking Disk Usage
Conclusion
III. Tools
6. Command Line Packet Analysis Tools
SO Tool Categories
SO Data Presentation Tools
Packet Analysis Tools
NSM Consoles
SO Data Collection Tools
SO Data Delivery Tools
Running Tcpdump
Displaying, Writing, and Reading Traffic with Tcpdump
Using Filters with Tcpdump
Applying Filters
Some Common Filters
Extracting Details from Tcpdump Output
Examining Full Content Data with Tcpdump
Using Dumpcap and Tshark
Running Tshark
Running Dumpcap
Running Tshark on Dumpcap’s Traffic
Using Display Filters with Tshark
Tshark Display Filters in Action
Running Argus and the Ra Client
Stopping and Starting Argus
The Argus File Format
Examining Argus Data
Conclusion
7. Graphical Packet Analysis Tools
Using Wireshark
Running Wireshark
Viewing a Packet Capture in Wireshark
Modifying the Default Wireshark Layout
Modifying the Layout Using the GUI
Modifying the Preferences File
Some Useful Wireshark Features
Viewing Lower-Level Protocol Features in Detail
Omitting Traffic to See Remnants
Following Streams
Setting the Protocol Decode Method with Decode As
Following Other Streams
Using Xplico
Running Xplico
Creating Xplico Cases and Sessions
Processing Network Traffic
Understanding the Decoded Traffic
Getting Metadata and Summarizing Traffic
Examining Content with NetworkMiner
Running NetworkMiner
Collecting and Organizing Traffic Details
Rendering Content
Conclusion
8. NSM Consoles
An NSM-centric Look at Network Traffic
Using Sguil
Running Sguil
Sguil’s Six Key Functions
Simple Aggregation
Metadata and Related Data
Querying Alert Data in Sguil
Querying Session Data in Sguil
Pivoting to Full Content Data
Categorizing Alert Data
Using Squert
Using Snorby
Using ELSA
Conclusion
IV. NSM in Action
9. NSM Operations
The Enterprise Security Cycle
The Planning Phase
The Resistance Phase
The Detection and Response Phases
Collection, Analysis, Escalation, and Resolution
Collection
Technical Sources
Nontechnical Sources
Analysis
Intrusions and Incidents
Event Classification
Escalation
Documentation of Incidents
Notification of Incidents
Incident Communication Considerations
Resolution
Containment Techniques
Speed of Containment
Remediation
Using NSM to Improve Security
Building a CIRT
Conclusion
10. Server-side Compromise
Server-side Compromise Defined
Server-side Compromise in Action
Starting with Sguil
Querying Sguil for Session Data
Returning to Alert Data
Reviewing Full Content Data with Tshark
Understanding the Backdoor
What Did the Intruder Do?
Initial Access
Enumerating the Victim
Accessing Credentials
What Else Did the Intruder Do?
Exploring the Session Data
Searching Bro DNS Logs
Searching Bro SSH Logs
Searching Bro FTP Logs
Decoding the Theft of Sensitive Data
Extracting the Stolen Archive
Stepping Back
Summarizing Stage 1
Summarizing Stage 2
Next Steps
Conclusion
11. Client-side Compromise
Client-side Compromise Defined
Client-side Compromise in Action
Getting the Incident Report from a User
Starting Analysis with ELSA
Querying for the IP Address
Checking the Bro HTTP Log
Checking Snort Alerts
Searching for Other Activity
Looking for Missing Traffic
Analyzing the Bro dns.log File
Checking Destination Ports
Examining the Command-and-Control Channel
Initial Access
Improving the Shell
Summarizing Stage 1
Pivoting to a Second Victim
Installing a Covert Tunnel
Enumerating the Victim
Summarizing Stage 2
Conclusion
12. Extending SO
Using Bro to Track Executables
Hashing Downloaded Executables with Bro
Submitting a Hash to VirusTotal
Using Bro to Extract Binaries from Traffic
Configuring Bro to Extract Binaries from Traffic
Collecting Traffic to Test Bro
Testing Bro to Extract Binaries from HTTP Traffic
Examining the Binary Extracted from HTTP
Testing Bro to Extract Binaries from FTP Traffic
Examining the Binary Extracted from FTP
Submitting a Hash and Binary to VirusTotal
Restarting Bro
Using APT1 Intelligence
Using the APT1 Module
Installing the APT1 Module
Generating Traffic to Test the APT1 Module
Testing the APT1 Module
Reporting Downloads of Malicious Binaries
Using the Team Cymru Malware Hash Registry
The MHR and SO: Active by Default
The MHR and SO vs. a Malicious Download
Identifying the Binary
Conclusion
13. Proxies and Checksums
Proxies
Proxies and Visibility
Traffic from the Client to the Proxy
Traffic from the Proxy to the Web Server
Dealing with Proxies in Production Networks
Checksums
A Good Checksum
A Bad Checksum
Identifying Bad and Good Checksums with Tshark
How Bad Checksums Happen
Bro and Bad Checksums
Setting Bro to Ignore Bad Checksums
Conclusion
Conclusion
Cloud Computing
Cloud Computing Challenges
Cloud Computing Benefits
Workflow, Metrics, and Collaboration
Workflow and Metrics
Collaboration
Conclusion
A. SO Scripts and Configuration
SO Control Scripts
/usr/sbin/nsm
/usr/sbin/nsm_all_del
/usr/sbin/nsm_all_del_quick
/usr/sbin/nsm_sensor
/usr/sbin/nsm_sensor_add
/usr/sbin/nsm_sensor_backup-config
/usr/sbin/nsm_sensor_backup-data
/usr/sbin/nsm_sensor_clean
/usr/sbin/nsm_sensor_clear
/usr/sbin/nsm_sensor_del
/usr/sbin/nsm_sensor_edit
/usr/sbin/nsm_sensor_ps-daily-restart
/usr/sbin/nsm_sensor_ps-restart
/usr/sbin/nsm_sensor_ps-start
/usr/sbin/nsm_sensor_ps-status
/usr/sbin/nsm_sensor_ps-stop
/usr/sbin/nsm_server
/usr/sbin/nsm_server_add
/usr/sbin/nsm_server_backup-config
/usr/sbin/nsm_server_backup-data
/usr/sbin/nsm_server_clear
/usr/sbin/nsm_server_del
/usr/sbin/nsm_server_edit
/usr/sbin/nsm_server_ps-restart
/usr/sbin/nsm_server_ps-start
/usr/sbin/nsm_server_ps-status
/usr/sbin/nsm_server_ps-stop
/usr/sbin/nsm_server_sensor-add
/usr/sbin/nsm_server_sensor-del
/usr/sbin/nsm_server_user-add
SO Configuration Files
/etc/nsm/
/etc/nsm/administration.conf
/etc/nsm/ossec/
/etc/nsm/pulledpork/
/etc/nsm/rules/
/etc/nsm/securityonion/
/etc/nsm/securityonion.conf
/etc/nsm/sensortab
/etc/nsm/servertab
/etc/nsm/templates/
/etc/nsm/$HOSTNAME-$INTERFACE/
barnyard2.conf
bpf.conf files
http_agent.conf
pads_agent.conf
pcap_agent.conf
prads.conf
sancp_agent.conf
sensor.conf
snort_agent.conf
snort.conf
suricata.yaml
/etc/cron.d/
Bro
CapMe
ELSA
Squert
Snorby
Syslog-ng
/etc/network/interfaces
Updating SO
Updating the SO Distribution
Updating MySQL
Index
About the Author
Colophon
B. Updates
Copyright
← Prev
Back
Next →
← Prev
Back
Next →