Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CNIT 50: 7. Graphical Tools & 8. NSM Consoles

437 views

Published on

For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml

Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34

Published in: Education
  • Be the first to comment

  • Be the first to like this

CNIT 50: 7. Graphical Tools & 8. NSM Consoles

  1. 1. CNIT 50: Network Security Monitoring 7 Graphical Packet Analysis Tools
  2. 2. Topics • Using Wireshark • Using Xplico • Examining Content with NetworkMiner
  3. 3. Wireshark
  4. 4. Wireshark Limitations • Slow for processing large data sets • Best to first locate traffic of interest with another tool such as session data • And use Wireshark on that limited data
  5. 5. Useful Wireshark Features • Viewing lower-level Protocol Features in Detail • Omitting Traffic to See Remnants • Following Streams • Setting the Protocol Decode Method with Decode As • Following Other Streams
  6. 6. Project 2
  7. 7. Xplico
  8. 8. Using Xplico • Not intended for live capture, although that is possible • Better for analyzing saved PCAPs • Managed via a Web browser • By default, SO only allows access from localhost
  9. 9. Flash Often Fails
  10. 10. Reconstructed from Packets
  11. 11. NetworkMiner
  12. 12. Windows Only! • On Linux: takes more than two hours to load the nitroba.pcap file, which is only 55 MB • On Windows: < 5 min.
  13. 13. Hosts
  14. 14. Messages
  15. 15. CNIT 50: Network Security Monitoring 8 NSM Consoles
  16. 16. Topics • An NSM-centric Look at Network Traffic • Using Sguil • Using Squert • Using Snorby (Removed from SO) • Using ELSA
  17. 17. Sguil
  18. 18. Events
  19. 19. Query
  20. 20. Like Splunk
  21. 21. Pivot to Full Content Data
  22. 22. Squert
  23. 23. Squert • Open-source web interface for NSM data • Written to provide access to Sguil databases via a Web browser • Adds visualizations and supporting information
  24. 24. Events
  25. 25. Search
  26. 26. Snorby
  27. 27. Removed from SO • Newer open-source Web interface for NSM data • Abandoned by its developers and removed from SO
  28. 28. ELSA
  29. 29. ELSA: Enterprise Log Search and Archive • Lets you search logs for strings like Splunk • Fully asynchronous web-based query interface • Closely tied to Bro
  30. 30. Programs
  31. 31. Visited IPs
  32. 32. Search
  33. 33. Splunk Enterprise Security
  34. 34. Splunk Cost

×