About the Author -- Foreword -- Preface -- Audience -- Prerequisites -- A Note on Software and Protocols -- Scope -- Acknowledgements -- Part I: Getting Started -- Chapter 1: Network Security Monitoring Rationale -- An Introduction to NSM -- Does NSM Prevent Intrusions? -- What Is the Difference Between NSM and Continuous Monitoring? -- How Does NSM Compare with Other Approaches? -- Why Does NSM Work? -- How NSM Is Set Up -- When NSM Won't Work -- Is NSM Legal? -- How Can You Protect User Privacy During NSM Operations? -- A Sample NSM Test -- The Range of NSM Data -- Full Content Data -- Extracted Content Data -- Session Data -- Transaction Data -- Statistical Data -- Metadata -- Alert Data -- What's the Point of All This Data? -- NSM Drawbacks -- Where Can I Buy NSM? -- Where Can I Go for Support or More Information? -- Conclusion -- Chapter 2: Collecting Network Traffic: Access, Storage, and Management -- A Sample Network for a Pilot NSM System -- Traffic Flow in a Simple Network -- Possible Locations for NSM -- IP Addresses and Network Address Translation -- Net Blocks -- IP Address Assignments -- Address Translation -- Choosing the Best Place to Obtain Network Visibility -- Location for DMZ Network Traffic -- Locations for Viewing the Wireless and Internal Network Traffic -- Getting Physical Access to the Traffic -- Using Switches for Traffic Monitoring -- Using a Network Tap -- Capturing Traffic Directly on a Client or Server -- Choosing an NSM Platform -- Ten NSM Platform Management Recommendations -- Conclusion -- Part II: Security Onion Deployment -- Chapter 3: Stand-alone NSM Deployment and Installation -- Stand-alone or Server Plus Sensors? -- Choosing How to Get SO Code onto Hardware -- Installing a Stand-alone System -- Installing SO to a Hard Drive -- Configuring SO Software -- Choosing the Management Interface.

Installing the NSM Software Components -- Checking Your Installation -- Conclusion -- Chapter 4: Distributed Deployment -- Installing an SO Server Using the SO .iso File -- SO Server Considerations -- Building Your SO Server -- Configuring Your SO Server -- Installing an SO Sensor Using the SO .iso Image -- Configuring the SO Sensor -- Completing Setup -- Verifying that the Sensors Are Working -- Verifying that the Autossh Tunnel Is Working -- Building an SO Server Using PPAs -- Installing Ubuntu Server as the SO Server Operating System -- Choosing a Static IP Address -- Updating the Software -- Beginning MySQL and PPA Setup on the SO Server -- Configuring Your SO Server via PPA -- Building an SO Sensor Using PPAs -- Installing Ubuntu Server as the SO Sensor Operating System -- Configuring the System as a Sensor -- Running the Setup Wizard -- Conclusion -- Chapter 5: SO Platform Housekeeping -- Keeping SO Up-to-Date -- Updating via the GUI -- Updating via the Command Line -- Limiting Access to SO -- Connecting via a SOCKS Proxy -- Changing the Firewall Policy -- Managing SO Data Storage -- Managing Sensor Storage -- Checking Database Drive Usage -- Managing the Sguil Database -- Tracking Disk Usage -- Conclusion -- Part III: Tools -- Chapter 6: Command Line Packet Analysis Tools -- SO Tool Categories -- Data Presentation -- SO Data Collection Tools -- SO Data Delivery Tools -- Running Tcpdump -- Displaying, Writing, and Reading Traffic with Tcpdump -- Using Filters with Tcpdump -- Extracting Details from Tcpdump Output -- Examining Full Content Data with Tcpdump -- Using Dumpcap and Tshark -- Running Tshark -- Running Dumpcap -- Running Tshark on Dumpcap's Traffic -- Using Display Filters with Tshark -- Tshark Display Filters in Action -- Running Argus and the Ra Client -- Stopping and Starting Argus -- The Argus File Format -- Examining Argus Data.

Conclusion -- Chapter 7: Graphical Packet Analysis Tools -- Using Wireshark -- Running Wireshark -- Viewing a Packet Capture in Wireshark -- Modifying the Default Wireshark Layout -- Some Useful Wireshark Features -- Using Xplico -- Running Xplico -- Creating Xplico Cases and Sessions -- Processing Network Traffic -- Understanding the Decoded Traffic -- Getting Metadata and Summarizing Traffic -- Examining Content with NetworkMiner -- Running NetworkMiner -- Collecting and Organizing Traffic Details -- Rendering Content -- Conclusion -- Chapter 8: NSM Consoles -- An NSM-centric Look at Network Traffic -- Using Sguil -- Running Sguil -- Sguil's Six Key Functions -- Using Squert -- Snorby -- ELSA -- Conclusion -- Part IV: NSM in Action -- Chapter 9: NSM Operations -- The Enterprise Security Cycle -- The Planning Phase -- The Resistance Phase -- The Detection and Response Phases -- Collection, Analysis, Escalation, and Resolution -- Collection -- Analysis -- Escalation -- Resolution -- Remediation -- Using NSM to Improve Security -- Building a CIRT -- Conclusion -- Chapter 10: Server-side Compromise -- Server-side Compromise Defined -- Server-side Compromise in Action -- Starting with Sguil -- Querying Sguil for Session Data -- Returning to Alert Data -- Reviewing Full Content Data with Tshark -- Understanding the Backdoor -- What Did the Intruder Do? -- What Else Did the Intruder Do? -- Exploring the Session Data -- Searching Bro DNS Logs -- Searching Bro SSH Logs -- Searching Bro FTP Logs -- Decoding the Theft of Sensitive Data -- Extracting the Stolen Archive -- Stepping Back -- Summarizing Stage 1 -- Summarizing Stage 2 -- Next Steps -- Conclusion -- Chapter 11: Client-side Compromise -- Client-side Compromise Defined -- Client-side Compromise in Action -- Getting the Incident Report from a User -- Starting Analysis with ELSA.

Looking for Missing Traffic -- Analyzing the Bro dns.log File -- Checking Destination Ports -- Examining the Command-and-Control Channel -- Initial Access -- Improving the Shell -- Summarizing Stage 1 -- Pivoting to a Second Victim -- Installing a Covert Tunnel -- Enumerating the Victim -- Summarizing Stage 2 -- Conclusion -- Chapter 12: Extending Security Onion -- Using Bro to Track Executables -- Hashing Downloaded Executables with Bro -- Submitting a Hash to VirusTotal -- Using Bro to Extract Binaries from Traffic -- Configuring Bro to Extract Binaries from Traffic -- Collecting Traffic to Test Bro -- Testing Bro to Extract Binaries from HTTP Traffic -- Examining the Binary Extracted from HTTP -- Testing Bro to Extract Binaries from FTP Traffic -- Examining the Binary Extracted from FTP -- Submitting a Hash and Binary to VirusTotal -- Restarting Bro -- Using APT1 Intelligence -- Using the APT1 Module -- Installing the APT1 Module -- Generating Traffic to Test the APT1 Module -- Testing the APT1 Module -- Reporting Downloads of Malicious Binaries -- Using the Team Cymru Malware Hash Registry -- The MHR and SO: Active by Default -- The MHR and SO vs. a Malicious Download -- Identifying the Binary -- Conclusion -- Chapter 13: Proxies and Checksums -- Proxies -- Proxies and Visibility -- Dealing with Proxies in Production Networks -- Checksums -- A Good Checksum -- A Bad Checksum -- Identifying Bad and Good Checksums with Tshark -- How Bad Checksums Happen -- Bro and Bad Checksums -- Setting Bro to Ignore Bad Checksums -- Conclusion -- Conclusion -- Cloud Computing -- Cloud Computing Challenges -- Cloud Computing Benefits -- Workflow, Metrics, and Collaboration -- Workflow and Metrics -- Collaboration -- Conclusion -- Appendix: Security Onion Scripts and Configuration -- Security Onion Control Scripts -- /usr/sbin/nsm -- /usr/sbin/nsm_all_del.

/usr/sbin/nsm_all_del_quick -- /usr/sbin/nsm_sensor -- /usr/sbin/nsm_sensor_add -- /usr/sbin/nsm_sensor_backup-config -- /usr/sbin/nsm_sensor_backup-data -- /usr/sbin/nsm_sensor_clean -- /usr/sbin/nsm_sensor_clear -- /usr/sbin/nsm_sensor_del -- /usr/sbin/nsm_sensor_edit -- /usr/sbin/nsm_sensor_ps-daily-restart -- /usr/sbin/nsm_sensor_ps-restart -- /usr/sbin/nsm_sensor_ps-start -- /usr/sbin/nsm_sensor_ps-status -- /usr/sbin/nsm_sensor_ps-stop -- /usr/sbin/nsm_server -- /usr/sbin/nsm_server_add -- /usr/sbin/nsm_server_backup-config -- /usr/sbin/nsm_server_backup-data -- /usr/sbin/nsm_server_clear -- /usr/sbin/nsm_server_del -- /usr/sbin/nsm_server_edit -- /usr/sbin/nsm_server_ps-restart -- /usr/sbin/nsm_server_ps-start -- /usr/sbin/nsm_server_ps-status -- /usr/sbin/nsm_server_ps-stop -- /usr/sbin/nsm_server_sensor-add -- /usr/sbin/nsm_server_sensor-del -- /usr/sbin/nsm_server_user-add -- Security Onion Configuration Files -- /etc/nsm/ -- /etc/nsm/administration.conf -- /etc/nsm/ossec/ -- /etc/nsm/pulledpork/ -- /etc/nsm/rules/ -- /etc/nsm/securityonion/ -- /etc/nsm/securityonion.conf -- /etc/nsm/sensortab -- /etc/nsm/servertab -- /etc/nsm/templates/ -- /etc/nsm/HOSTNAME-INTERFACE/ -- /etc/cron.d/ -- Bro -- CapMe -- ELSA -- Squert -- Snorby -- Syslog-ng -- /etc/network/interfaces -- Updating Security Onion -- Updating the Security Onion Distribution -- Updating MySQL.