Network Security Monitoring

Winter Working Connections 2017

Sam Bowne

Schedule · Slides · Projects · Links · Home Page


Firewalls and antivirus are not enough to protect modern computer networks--abuses and attacks are common and cannot be completely prevented. Instead, networks are now monitored to detect security incidents, and security teams respond to them to limit the harm they cause. This class prepares students for jobs in monitoring and incident response, providing skills that are in high demand.

Hands-on projects will include basic configuration and use of Splunk, ELK, and Security Onion--popular network security monitoring solutions.

Prerequisite knowledge: Basic networking and security concepts at the Network+ and Security+ level.

Hardware requirements: Students need a host computer with VMware Player, Fusion, or Workstation installed, at least 30 GB of drive space, and an Internet connection fast enough to download 5 GB of data in a reasonable time.

Class Objectives

Upon successful completion of this course, the student will be able to:
  • Explain the importance of network security monitoring and compare it to other types of defenses, such as firewalls
  • Implement and configure Splunk, ELK, and Security Onion servers
  • Efficiently search network traffic to detect abuses and attacks


"The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34 Buy from Amazon

Live Streaming

The class will be livestreamed using Zoom.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/4108472927
Meeting ID: 410-847-2927


To keep participants awake during lectures, there will be Kahoot live contests to review terms and concepts.


Chapter quizzes are available in plaintext and Canvas exports for participants who want them. They will also be available online for those who wish to take them during the class.


Date Topic

Mon 12-11 1: Network Security Monitoring Rationale
2. Collecting Network Traffic: Access, Storage, and Management
3. Standalone NSM Deployment and Installation

Projects 1-3

Tue 12-12 2. Collecting Network Traffic: Access, Storage, and Management
3. Standalone NSM Deployment and Installation

Projects 4-6

Wed 12-13 9. NSM Operations
10 & 11: Case Histories

Project 7


Part 1: Getting Started

1. Network Security Monitoring Rationale · PDF · Keynote
2. Collecting Network Traffic &
3. Standalone NSM Deployment
· PDF · Keynote

Part 2: Security Onion Deployment


6. Command Line Packet Analysis Tools
7. Graphical Packet Analysis Tools
8. NSM Console

NSM in Action

9. NSM Operations
10. Server-side Compromise
11. Client-side Compromise

Projects (more projects will be added)

Downloading the Virtual Machines

Download VMware Player (64-bit)

Do Either One of These Projects

Project 1: Setting Up Security Onion on a Mac (15 pts)
Project 1: Setting Up Security Onion on a PC (15 pts)

Project 2: Wireshark (15 pts. + 20 pts. extra credit)
Project 3: Splunk (20 points)
Project 4: Detecting Ransomware with Splunk and Sysmon (20 pts.)

Extra Credit Projects

Project 1x: Setting Up ELK (15 pts. extra credit)
Project 2x: CanaryTokens (5 pts. extra credit)
Project 3x: Splunk Searching (10 pts. extra credit)


SELKS 2.0 vs. Security Onion
How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on Ubuntu 16.04
Monitoring Windows Logons with Winlogbeat | Elastic
Using ELK for Logging on Windows: Configuration
Public PCAP files for download
SecRepo - Security Data Samples Repository
Xplico Graph not working properly
Ch 1a: Working with Bro Logs: Queries By Example
Ch 1b: Monitoring HTTP Traffic with Bro -- Bro 2.5.1 documentation
Ch 1c: testmyids.com - Robtex
Ch 1d: Sguil - Open Source Network Security Monitoring
Ch 1e: Security Onion 14.04 Release Notes -- Snorby is Gone
Ch 1f: How can I install Snorby on Security Onion 14.04?
How You Can Set up Honeytokens Using Canarytokens to Detect Intrusions
Splunk Dashboard Examples | Splunkbase
Tracking Hackers on Your Network with Sysinternals Sysmon
Ch 6a: Best Practices -- Security-Onion-Solutions/security-onion Wiki
I've lost my splunk admin password, can it be recovered? - Question | Splunk Answers

Last Updated: 10-5-17 1 pm