Table of Contents

Cover image

Title page

Copyright

Dedication

Acknowledgements

About the Authors

Chris Sanders, Lead Author

Jason Smith, Co-Author

David J. Bianco, Contributing Author

Liam Randall, Contributing Author

Foreword

Preface

Audience

Prerequisites

Concepts and Approach

IP Address Disclaimer

Companion Website

Charitable Support

Contacting Us

Chapter 1. The Practice of Applied Network Security Monitoring

Abstract

Key NSM Terms

Intrusion Detection

Network Security Monitoring

Vulnerability-Centric vs. Threat-Centric Defense

The NSM Cycle: Collection, Detection, and Analysis

Challenges to NSM

Defining the Analyst

Security Onion

Conclusion

Section 1: Collection

Chapter 2. Planning Data Collection

Abstract

The Applied Collection Framework (ACF)

Case Scenario: Online Retailer

Conclusion

Chapter 3. The Sensor Platform

Abstract

NSM Data Types

Sensor Type

Sensor Hardware

Sensor Operating System

Sensor Placement

Securing the Sensor

Conclusion

Chapter 4. Session Data

Abstract

Flow Records

Collecting Session Data

Collecting and Analyzing Flow Data with SiLK

Collecting and Analyzing Flow Data with Argus

Session Data Storage Considerations

Conclusion

Chapter 5. Full Packet Capture Data

Abstract

Dumpcap

Daemonlogger

Netsniff-NG

Choosing the Right FPC Collection Tool

Planning for FPC Collection

Decreasing the FPC Data Storage Burden

Managing FPC Data Retention

Conclusion

Chapter 6. Packet String Data

Abstract

Defining Packet String Data

PSTR Data Collection

Viewing PSTR Data

Conclusion

Section 2: Detection

Chapter 7. Detection Mechanisms, Indicators of Compromise, and Signatures

Abstract

Detection Mechanisms

Indicators of Compromise and Signatures

Managing Indicators and Signatures

Indicator and Signature Frameworks

Conclusion

Chapter 8. Reputation-Based Detection

Abstract

Public Reputation Lists

Automating Reputation-Based Detection

Conclusion

Chapter 9. Signature-Based Detection with Snort and Suricata

Abstract

Snort

Suricata

Changing IDS Engines in Security Onion

Initializing Snort and Suricata for Intrusion Detection

Configuring Snort and Suricata

IDS Rules

Viewing Snort and Suricata Alerts

Conclusion

Chapter 10. The Bro Platform

Abstract

Basic Bro Concepts

Running Bro

Bro Logs

Creating Custom Detection Tools with Bro

Conclusion

Chapter 11. Anomaly-Based Detection with Statistical Data

Abstract

Top Talkers with SiLK

Service Discovery with SiLK

Furthering Detection with Statistics

Visualizing Statistics with Gnuplot

Visualizing Statistics with Google Charts

Visualizing Statistics with Afterglow

Conclusion

Chapter 12. Using Canary Honeypots for Detection

Abstract

Canary Honeypots

Types of Honeypots

Canary Honeypot Architecture

Honeypot Platforms

Conclusion

Section 3: Analysis

Chapter 13. Packet Analysis

Abstract

Enter the Packet

Packet Math

Dissecting Packets

Tcpdump for NSM Analysis

TShark for Packet Analysis

Wireshark for NSM Analysis

Packet Filtering

Conclusion

Chapter 14. Friendly and Threat Intelligence

Abstract

The Intelligence Cycle for NSM

Generating Friendly Intelligence

Generating Threat Intelligence

Conclusion

Chapter 15. The Analysis Process

Abstract

Analysis Methods

Analysis Best Practices

Incident Morbidity and Mortality

Conclusion

Appendix 1. Security Onion Control Scripts

High Level Commands

Server Control Commands

Sensor Control Commands

Appendix 2. Important Security Onion Files and Directories

Application Directories and Configuration Files

Sensor Data Directories

Appendix 3. Packet Headers

Appendix 4. Decimal / Hex / ASCII Conversion Chart

Index

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
35.175.107.142