CNIT 50: Network Security MonitoringFall 2017 Sam Bowne
Scores
Schedule · Lecture Notes · Projects · Links · Home Page |
Catalog DescriptionLearn modern, powerful techniques to inspect and analyze network traffic, so you can quickly detect abuse and attacks and respond to them. This class covers the configuration and use of Security Onion, a popular open-source Linux distribution designed for network security monitoring.Advisory: CNIT 106 and 120, or comparable understanding of networking and security concepts. Course JustificationFirewalls and antivirus are not enough to protect modern computer networks--abuse and attacks are common and cannot be prevented. Instead, networks are now monitored to detect security incidents, and security teams respond to them to limit the harm they cause. This class prepares students for jobs in monitoring and incident response, providing skills that are in high demand.This course is part of the Advanced Cybersecurity Certificate. Student Learning OutcomesUpon successful completion of this course, the student will be able to:
Textbook"The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34 Buy from AmazonQuizzesThe quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is available for one week, up till 8:30 am Saturday. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.To take quizzes, first claim your RAM ID and then log in to Canvas here: Live StreamingLive stream at: ccsf.edu/webcasts Live Streaming for KahootsDuring the Kahoots, I'll also stream the class via Zoom. |
Schedule | ||
---|---|---|
Date | Due | Topic |
Tue 8-29 | 1: Network Security Monitoring Rationale | |
Tue 9-19 | Proj 1 due Quizzes Ch 1 and Ch 2-3 * |
2. Collecting Network Traffic: Access, Storage, and Management 3. Standalone NSM Deployment and Installation |
Tue 10-10 | Proj 2 & 3 due Quiz Ch 6 * |
6. Command Line Packet Analysis Tools |
Tue 10-31 | Proj 4 & 5 due Quiz Ch 7 & 8 * |
7. Graphical Packet Analysis Tools 8. NSM Console |
Tue 11-21 | Proj 6 due | 9. NSM Operations |
Tue 12-12 | Proj 7 due All extra credit due Quiz Quiz Ch 9 * & due There will be no Quiz on Ch 10 or 11 |
Last Class: No Lecture Security Apprenticeship Talk at 6:30 in MUB 140 Open lab in S214 after that event |
Fri 12-15 - Thu 12-21 |
Final Exam available online throughout the week. You can only take it once. | |
* Quizzes due 30 min. before class |
Lectures | |
---|---|
Policy
· Schedule
Part 1: Getting Started1. Network Security Monitoring Rationale · PDF · Keynote2. Collecting Network Traffic & 3. Standalone NSM Deployment · PDF · Keynote Part 2: Security Onion DeploymentWe'll skip chapters 4 and 5
4. Distributed Deployment Tools6. Command Line Packet Analysis Tools · PDF · Keynote7. Graphical Packet Analysis Tools 8. NSM Console · PDF · Keynote NSM in Action9. NSM Operations · PDF · Keynote |
Links |
---|
Links for LecturesCh 1a: Working with Bro Logs: Queries By ExampleCh 1b: Monitoring HTTP Traffic with Bro -- Bro 2.5.1 documentation Ch 1c: testmyids.com - Robtex Ch 1d: Sguil - Open Source Network Security Monitoring Ch 1e: Security Onion 14.04 Release Notes -- Snorby is Gone Ch 1f: How can I install Snorby on Security Onion 14.04?
Ch 6a: Best Practices -- Security-Onion-Solutions/security-onion Wiki
Ch 7a: splunk pricing - splunk licensing model
Ch 9a: Mandiant APT1 Report Other LinksSELKS 2.0 vs. Security OnionHow To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on Ubuntu 16.04 Monitoring Windows Logons with Winlogbeat | Elastic Using ELK for Logging on Windows: Configuration Public PCAP files for download SecRepo - Security Data Samples Repository Xplico Graph not working properly How You Can Set up Honeytokens Using Canarytokens to Detect Intrusions Splunk Dashboard Examples | Splunkbase Tracking Hackers on Your Network with Sysinternals Sysmon I've lost my splunk admin password, can it be recovered? - Question | Splunk Answers Digital Corpora NetworkMiner - The NSM and Network Forensics Analysis Tool NetworkMiner packet analyzer - Browse /networkminer at SourceForge.net How to Install Cacti 1.1.10 on Ubuntu 16.04 QRadar Rule creation: Baseline of trusted users - YouTube Manage common offenses detected by QRadar SIEM IBM Knowledge Center - Installing Sysinternals Sysmon New Unsorted LinksUsing Wazuh to monitor Sysmon events - WAZUH's blogSplunk Book | Splunk Wazuh v3.0 released! Splunk Courses for Users Get started with Search - Splunk Documentation Splunk and the ELK Stack: A Side-by-Side Comparison What on earth is 'Splunk' -- and why does it pay so much? (from 2017) Splunk in 2 Charts: 85 of the Fortune 100 companies use Splunk (from 2017) 2018-11-26: Splunk Core Certified User Test Blueprint |