Enterprise Security Monitoring with Open Source Network IDS & IPS

Paths

Enterprise Security Monitoring with Open Source Network IDS & IPS

Authors: Matt Glass, Joe Abraham

NIST defines an Intrusion Detection System (IDS) as software that looks for suspicious activity and alerts administrators. In the NIST Special Publication 800-62 it goes on to say... Read more

What You Will Learn:

  • how to install and configure the open source Intrusion Detection and Prevention systems
  • how to configure the tools to capture packets
  • how to manage rule sets and rule sources to optimize your configuration and detection
  • about utilizing open source rule sets
  • to analyze an example intrusion and manage alerts
  • explore alert and event managers
  • to analyze contextual information in alerts
  • how to utilize associated extensions, frameworks & integrations

Pre-requisites

  • A basic understanding of computer networking
  • An understanding of security fundamentals

Enterprise Security Monitoring with Snort

Snort acts as both an IDS and IPS, capable of performing real-time traffic analysis and packet logging on IP networks. This Linux utility is easy to deploy and can be configured to monitor your network traffic for intrusion attempts, log them, and take a specified action when an intrusion attempt is detected. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more. It uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.

Further documentation and FAQ's on Snort can be found here https://www.snort.org/

Getting Started with Snort

by Matt Glass

Jun 3, 2020 / 1h 6m

1h 6m

Start Course
Description

Detecting potential threats to an organization’s network is an important part of securing the overall system. In this course, Getting Started with Snort, you will learn foundational knowledge to operate Snort and leverage its plugins. First, you will learn how to configure and run Snort. Next, you will discover how to expand its functionality by configuring plugins. Finally, you will explore how to export alerts to external applications. When you are finished with this course, you will have the skills and knowledge of Snort needed to leverage its capabilities.

Table of contents
  1. Course Overview
  2. Capturing Your First Packets with Snort
  3. Exploring Snort's Features and Modules
  4. Extending Snort Functionality through Additional Tools

Writing Snort Rules

by Matt Glass

Sep 10, 2020 / 1h 24m

1h 24m

Start Course
Description

Would you like to detect potential threats to your network? Snort is an open source network intrusion detection system and intrusion prevention system that includes the ability to write custom rules. In this course, Writing Snort Rules, you’ll learn to write your own custom rules for Snort to detect specific traffic. First, you’ll explore the basic Snort rule structure. Next, you’ll discover how to leverage additional options to refine your traffic detection. Finally, you’ll learn how to further optimize your rules with new options in Snort version 3. When you’re finished with this course, you’ll have the skills and knowledge of Snort needed to write your own rules.

Table of contents
  1. Course Overview
  2. Writing Your First Snort Rule
  3. Creating Custom Rules with Rule Options
  4. Optimizing Rules with New Features

Enterprise Security Monitoring with Suricata

The Suricata open source engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. There are third-party open source tools available for a web front end to query and analyze alerts coming from Suricata IDS.

These courses provide a comprehensive understanding the tools fundamentals, how to install, deploy, and capture packets. Then manage rule sets and rule sources, then managing alerts and analyze contextual information.

Further documentation and FAQ's on Suricata can be found here https://suricata-ids.org/

Suricata: Getting Started

by Matt Glass

Dec 14, 2020 / 1h 12m

1h 12m

Start Course
Description

Intrusion detection and prevention are key in enterprise network security monitoring. In this course, Suricata: Getting Started, you’ll learn to install and configure Suricata. First, you’ll explore intrusion detection and prevention fundamentals. Next, you’ll discover how to install Suricata using multiple methods. Finally, you’ll learn how to configure Suricata to capture packets. When you’re finished with this course, you’ll have the skills and knowledge of Suricata needed to install and configure it to capture network traffic.

Table of contents
  1. Course Overview
  2. Understanding Intrusion Detection and Prevention
  3. Installing Suricata
  4. Capturing Your First Packets with Suricata
  5. Evaluating Suricata’s Output

Coming Soon

Manage Suricata Rule Sets and Rule Sources

Coming Soon

by Matt Glass

Coming Soon

Manage Suricata Alerts and Analyze Contextual Information

Coming Soon

by Matt Glass

Enterprise Security Monitoring with Zeek (formerly Bro)

Zeek functions as a network traffic analyzer and an intrusion prevention system, with alert conditions provoking predefined actions. Policy scripts are customizable, however limited by the standard framework, which involves anomaly detection, analysis of connections, and signature matching. This tool is capable of automatically downloading suspicious files it spots on the network, sending them for analysis, notifying relevant parties if anything is uncovered, blacklisting the source and shutting down the device that downloaded it.

Further documentation and FAQ's on Zeek can be found here https://zeek.org/

Getting Started with Zeek

by Joe Abraham

Nov 6, 2019 / 1h 26m

1h 26m

Start Course
Description

Zeek is an event-based network monitoring and analysis tool used by many organizations. It enables users to see the traffic going through our networks and respond to it in different ways. Learning how to configure, use, and customize this tool will help you manage your network effectively. In this course, Getting Started with Zeek, you will learn all about this tool and how it functions, as well as how to use it. First, you will learn about the tool, it's purpose, and functionality. Next, you will learn about the pieces of the tool and how they interact with each other. Finally, you will explore the language Zeek uses and how you can use it to help your environment. When you're finished with this course, you will have a full understanding of the the tool and be able to use it effectively in your own network.

Table of contents
  1. Course Overview
  2. Discovering Zeek’s Capabilities
  3. Using Zeek in the Enterprise
  4. Detailing the Zeek Components
  5. Learning Zeek’s Language
  6. Tracking Zeek’s Discoveries