Network Security Monitoring

Winter Working Connections 2017

Sam Bowne

Schedule · Slides · Projects · Links · Home Page

Surveys for Weds.


Firewalls and antivirus are not enough to protect modern computer networks--abuses and attacks are common and cannot be completely prevented. Instead, networks are now monitored to detect security incidents, and security teams respond to them to limit the harm they cause. This class prepares students for jobs in monitoring and incident response, providing skills that are in high demand.

Hands-on projects will include basic configuration and use of Splunk, ELK, and Security Onion--popular network security monitoring solutions.

Prerequisite knowledge: Basic networking and security concepts at the Network+ and Security+ level.

Hardware requirements: Students need a host computer with VMware Player, Fusion, or Workstation installed, at least 30 GB of drive space, and an Internet connection fast enough to download 5 GB of data in a reasonable time.

Class Objectives

Upon successful completion of this course, the student will be able to:
  • Explain the importance of network security monitoring and compare it to other types of defenses, such as firewalls
  • Implement and configure Splunk, ELK, and Security Onion servers
  • Efficiently search network traffic to detect abuses and attacks


"The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34 Buy from Amazon

Live Streaming

The class will be livestreamed using Zoom.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/4108472927
Meeting ID: 410-847-2927


To keep participants awake during lectures, there will be Kahoot live contests to review terms and concepts.


Chapter quizzes are available in plaintext and Canvas exports for participants who want them.

They will also be available online for those who wish to take them during the class.

To take quizzes, log in to Canvas here:


Download quizzes as a Canvas export file


Date Topic

Mon 12-11

8:30 - 12:00
1:00 - 5:00 (CST)

1. Network Security Monitoring Rationale
2. Collecting Network Traffic: Access, Storage, and Management
3. Standalone NSM Deployment and Installation
6. Command Line Packet Analysis Tools

Projects 1-3, 1x, 2x

Quizzes: Ch 1, Ch 2-3


Tue 12-12

8:30 - 12:00
1:00 - 5:00 (CST)

7. Graphical Packet Analysis Tools
8. NSM Console
9. NSM Operations

Projects 4-6, 3x, 4x
Quizzes: Ch 6, Ch 7-8


Wed 12-13

8:30 - 12:00 (CST)

Project 7
Quiz: Ch 9

Surveys for Weds.

Contest for Prize Cryptokitties


Part 1: Getting Started

1. Network Security Monitoring Rationale · PDF · Keynote
2. Collecting Network Traffic &
3. Standalone NSM Deployment
· PDF · Keynote

Part 2: Security Onion Deployment

We'll skip chapters 4 and 5

4. Distributed Deployment
5. SO Platform Housekeeping


6. Command Line Packet Analysis Tools · PDF · Keynote
7. Graphical Packet Analysis Tools
8. NSM Console ·
PDF · Keynote

NSM in Action

9. NSM Operations · PDF · Keynote


Network Security Monitoring Projects

Download VMware Player (64-bit)

Do Either One of These Projects

Project 1: Setting Up Security Onion on a Mac 
Project 1: Setting Up Security Onion on a PC 

Record Project 1 Completion · Project 1 Completion Page

Project 2: Wireshark
Record Project 2 Completion · Project 2 Completion Page

Project 3: Splunk
Record Project 3 Completion · Project 3 Completion Page

Project 4: Detecting Ransomware with Splunk and Sysmon
Record Project 4 Completion · Project 4 Completion Page

Project 5: Command-Line Tools
Record Project 5 Completion · Project 5 Completion Page

Project 6: Graphical Tools
Record Project 6 Completion · Project 6 Completion Page

Project 7: NSM Consoles
Record Project 7 Completion · Project 7 Completion Page

Extra Credit Projects

Project 1x: Setting Up ELK without SSL
Record Project 1x Completion · Project 1x Completion Page

Original Project 1x: Setting Up ELK -- Unnecessarily Complicated
Project 2x: CanaryTokens
Record Project 2x Completion · Project 2x Completion Page

Project 3x: Splunk Searching
Record Project 3x Completion · Project 3x Completion Page

Project 4x: Splunk Enterprise Security
Record Project 4x Completion · Project 4x Completion Page

Other Defensive Network Projects

CNIT 40 Proj 2x: DNSCrypt on Linux
CNIT 40 Proj 8x: DNS Over HTTPS

Firewall Hero

New Hacking Projects

Download Win2008-124 Size: 2,180,234,212
      SHA-256: dc496623ef74fe1dac1dfb3053acea312350f02d83189bd15d2b48d6eb49be22
Download Kali Linux 32 bit VM PAE

CNIT 124 Proj 15: Stealing Passwords from RAM with Metasploit
CNIT 124 Proj 8x: ETERNALBLUE v. Windows
CNIT 124 Proj 9x: Exploiting Apache Struts with CVE-2017-5638
CNIT 124 Proj 10x: Exploiting Apache Struts with CVE-2017-9805

Blockchain Projects

Using Cryptocurrencies

CNIT 141 Proj X1: Coinbase
CNIT 141 Proj 13: Exodus Wallet

CNIT 141 Proj 1x: Cryptokitties

Developing with Blockchains

CNIT 141 Proj 7: Bitcoin: Setting up a Private Regtest Blockchain
CNIT 141 Proj 15: Making an Ethereum Contract with Truffle
CNIT 141 Proj 9: Getting Started with Multichain
CNIT 141 Proj 10: Making a Blockchain Survey with Multichain
CNIT 141 Proj 11: Making a Private Ethereum Blockchain

Cryptography Projects

CNIT 141 Proj 8: ECB v. CBC Modes with Python
CNIT 141 Proj 14: Padding Oracle Attack
CNIT 141 Proj 16: Existential Forgery Attack on RSA Signatures
CNIT 141 Proj 12: RSA Key Formats
CNIT 141 Proj X4: Finding Large Primes
CNIT 141 Proj X5: Factoring Large Numbers


Get started with Search - Splunk Documentation
Splunk and the ELK Stack: A Side-by-Side Comparison
What on earth is 'Splunk' -- and why does it pay so much? (from 2017)
Splunk in 2 Charts: 85 of the Fortune 100 companies use Splunk (from 2017)
Splunk Core Certified User Test Blueprint

New Unsorted Links

Splunk Certification Flashcards | Quizlet
The Windows Logging Cheat Sheet
delete - Splunk Documentation
ATT&CKized Splunk - Threat Hunting with MITRE's ATT&CK using Splunk
Securing Splunkweb (Free version) -- THIS WORKS
2020-03-06: Statement by a quarantined nurse from a northern California Kaiser facility
Splunk Certification Pathway (2022)
Free Training Courses | Splunk
Configure a Splunk asset in Splunk SOAR to pull data from the Splunk platform - Splunk Documentation
About Splunk App for SOAR Export - Splunk Documentation
The Essential Guide to Security | Splunk -- SECURITY JOURNEY PDF
Overview of the Splunk Common Information Model - Splunk Documentation
Splunk Security Essentials Explained—Splunk Cloud SecOps Webinar Series - YouTube
Splunk Security Schooling With Static Datasets For Budding Blue Teamers
GitHub - splunk/attack_data: A repository of curated datasets from various attacks
Blue Team Labs Online - Cyber Range

Last Updated: 12-13-17 7:04 am