Enterprise Security Monitoring with Open Source Network IDS & IPS

Paths

Enterprise Security Monitoring with Open Source Network IDS & IPS

Authors: Matt Glass, Joe Abraham, Michael Edie

NIST defines an Intrusion Detection System (IDS) as software that looks for suspicious activity and alerts administrators. In the NIST Special Publication 800-62 it goes on to say... Read more

What You Will Learn:

  • how to install and configure the open source Intrusion Detection and Prevention systems
  • how to configure the tools to capture packets
  • how to manage rule sets and rule sources to optimize your configuration and detection
  • about utilizing open source rule sets
  • to analyze an example intrusion and manage alerts
  • explore alert and event managers
  • to analyze contextual information in alerts
  • how to utilize associated extensions, frameworks & integrations

Pre-requisites

  • A basic understanding of computer networking
  • An understanding of security fundamentals

Enterprise Security Monitoring with Snort

Snort acts as both an IDS and IPS, capable of performing real-time traffic analysis and packet logging on IP networks. This Linux utility is easy to deploy and can be configured to monitor your network traffic for intrusion attempts, log them, and take a specified action when an intrusion attempt is detected. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more. It uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.

Further documentation and FAQ's on Snort can be found here https://www.snort.org/

Getting Started with Snort

by Matt Glass

Jun 3, 2020 / 1h 6m

1h 6m

Start Course
Description

Detecting potential threats to an organization’s network is an important part of securing the overall system. In this course, Getting Started with Snort, you will learn foundational knowledge to operate Snort and leverage its plugins. First, you will learn how to configure and run Snort. Next, you will discover how to expand its functionality by configuring plugins. Finally, you will explore how to export alerts to external applications. When you are finished with this course, you will have the skills and knowledge of Snort needed to leverage its capabilities.

Table of contents
  1. Course Overview
  2. Capturing Your First Packets with Snort
  3. Exploring Snort's Features and Modules
  4. Extending Snort Functionality through Additional Tools

Writing Snort Rules

by Matt Glass

Sep 10, 2020 / 1h 24m

1h 24m

Start Course
Description

Would you like to detect potential threats to your network? Snort is an open source network intrusion detection system and intrusion prevention system that includes the ability to write custom rules. In this course, Writing Snort Rules, you’ll learn to write your own custom rules for Snort to detect specific traffic. First, you’ll explore the basic Snort rule structure. Next, you’ll discover how to leverage additional options to refine your traffic detection. Finally, you’ll learn how to further optimize your rules with new options in Snort version 3. When you’re finished with this course, you’ll have the skills and knowledge of Snort needed to write your own rules.

Table of contents
  1. Course Overview
  2. Writing Your First Snort Rule
  3. Creating Custom Rules with Rule Options
  4. Optimizing Rules with New Features

Enterprise Security Monitoring with Suricata

The Suricata open source engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. There are third-party open source tools available for a web front end to query and analyze alerts coming from Suricata IDS.

These courses provide a comprehensive understanding the tools fundamentals, how to install, deploy, and capture packets. Then manage rule sets and rule sources, then managing alerts and analyze contextual information.

Further documentation and FAQ's on Suricata can be found here https://suricata-ids.org/

Suricata: Getting Started

by Matt Glass

Dec 14, 2020 / 1h 12m

1h 12m

Start Course
Description

Intrusion detection and prevention are key in enterprise network security monitoring. In this course, Suricata: Getting Started, you’ll learn to install and configure Suricata. First, you’ll explore intrusion detection and prevention fundamentals. Next, you’ll discover how to install Suricata using multiple methods. Finally, you’ll learn how to configure Suricata to capture packets. When you’re finished with this course, you’ll have the skills and knowledge of Suricata needed to install and configure it to capture network traffic.

Table of contents
  1. Course Overview
  2. Understanding Intrusion Detection and Prevention
  3. Installing Suricata
  4. Capturing Your First Packets with Suricata
  5. Evaluating Suricata’s Output

Manage Suricata Rule Sets and Rule Sources

by Matt Glass

Apr 27, 2021 / 1h 6m

1h 6m

Start Course
Description

Intrusion detection and prevention are an important part of any enterprise network security monitoring plan. In this course, Manage Suricata Rule Sets and Rule Sources, you’ll learn to select and obtain pre-written rules. First, you’ll explore open-source rule sets. Next, you’ll discover how to leverage suricata-update to add rule sources. Finally, you’ll learn how to manage regular updates with cron. When you’re finished with this course, you’ll have the skills and knowledge of Suricata needed to manage Suricata’s rule sets and rule sources using suricata-update.

Table of contents
  1. Course Overview
  2. Understanding Suricata Rule Sets and Sources
  3. Leveraging Suricata Update
  4. Examining Rule Set Effects
  5. Managing Suricata Rule Sets with Cron

Enterprise Security Monitoring with Zeek (formerly Bro)

Zeek functions as a network traffic analyzer and an intrusion prevention system, with alert conditions provoking predefined actions. Policy scripts are customizable, however limited by the standard framework, which involves anomaly detection, analysis of connections, and signature matching. This tool is capable of automatically downloading suspicious files it spots on the network, sending them for analysis, notifying relevant parties if anything is uncovered, blacklisting the source and shutting down the device that downloaded it.

Further documentation and FAQ's on Zeek can be found here https://zeek.org/

Getting Started with Zeek

by Joe Abraham

Nov 6, 2019 / 1h 26m

1h 26m

Start Course
Description

Zeek is an event-based network monitoring and analysis tool used by many organizations. It enables users to see the traffic going through our networks and respond to it in different ways. Learning how to configure, use, and customize this tool will help you manage your network effectively. In this course, Getting Started with Zeek, you will learn all about this tool and how it functions, as well as how to use it. First, you will learn about the tool, it's purpose, and functionality. Next, you will learn about the pieces of the tool and how they interact with each other. Finally, you will explore the language Zeek uses and how you can use it to help your environment. When you're finished with this course, you will have a full understanding of the the tool and be able to use it effectively in your own network.

Table of contents
  1. Course Overview
  2. Discovering Zeek’s Capabilities
  3. Using Zeek in the Enterprise
  4. Detailing the Zeek Components
  5. Learning Zeek’s Language
  6. Tracking Zeek’s Discoveries

Writing Zeek Rules and Scripts

by Joe Abraham

May 10, 2021 / 2h 6m

2h 6m

Start Course
Description

Zeek is an event-based network monitoring and analysis tool used to help monitor the network and detect potential threats. It enables users to see the traffic going through our networks and respond to it in different ways. Learning how to customize its functionality through the use of rules and scripts can help you use this tool more effectively. In this course, Writing Zeek Rules and Scripts, you will learn all about this tool's frameworks and how to use them to customize the tool, as well as how to use it. First, you will learn about the various components used with Zeek customization and scripting. Next, you will learn about the Default scripts and how to modify them to suit your needs. Finally, you will practice using the frameworks to build the needed functionality for your use cases. When you're finished with this course, you will have the ability to modify Zeek in order to support your desired use cases and environment.

Table of contents
  1. Course Overview
  2. Illustrating the Zeek Signature Framework
  3. Managing Events with the Logging and Notice Frameworks
  4. Breaking Down the Scripting Basics
  5. Optimizing Zeek Default Scripts
  6. Customizing Scripts to Extend Zeek Functionality

Utilizing Zeek in an Enterprise Environment or for Distributed Operations

by Michael Edie

Jul 1, 2021 / 1h 50m

1h 50m

Start Course
Description

Cybersecurity professionals are tasked with defending networks against malicious attackers who are becoming more sophisticated and harder to detect. In this course, Utilizing Zeek in an Enterprise Environment or for Distributed Operations, you'll learn how to deploy this tool to support network security operations. First, you’ll explore how to design a Zeek deployment for Enterprise Monitoring. Next, you’ll discover how Zeek can support Continuous Monitoring. Finally, you’ll learn how to use Zeek for Threat Hunting and Incident Response. When you’re finished with this course, you’ll have the skills and knowledge of using Zeek to rapidly identify indicators of compromise, security control deviations, and to actively pursue adversarial threats on a network.

Table of contents
  1. Course Overview
  2. Designing a Zeek Deployment for Enterprise Monitoring
  3. Using Zeek for Continuous Monitoring
  4. Using Zeek for Defensive Cyber Operations