Applied Network Security Monitoring

Applied Network Security Monitoring

Collection, Detection, and Analysis

1st Edition - November 26, 2013

Write a review

  • Authors: Chris Sanders, Jason Smith
  • Paperback ISBN: 9780124172081
  • eBook ISBN: 9780124172166

Purchase options

Purchase options
DRM-free (Mobi, EPub, PDF)
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order


Applied Network Security Monitoring is the essential guide to becoming an NSM analyst from the ground up. This book takes a fundamental approach to NSM, complete with dozens of real-world examples that teach you the key concepts of NSM. Network security monitoring is based on the principle that prevention eventually fails. In the current threat landscape, no matter how much you try, motivated attackers will eventually find their way into your network. At that point, it is your ability to detect and respond to that intrusion that can be the difference between a small incident and a major disaster. The book follows the three stages of the NSM cycle: collection, detection, and analysis. As you progress through each section, you will have access to insights from seasoned NSM professionals while being introduced to relevant, practical scenarios complete with sample data. If you've never performed NSM analysis, Applied Network Security Monitoring will give you an adequate grasp on the core concepts needed to become an effective analyst. If you are already a practicing analyst, this book will allow you to grow your analytic technique to make you more effective at your job.

Key Features

  • Discusses the proper methods for data collection, and teaches you how to become a skilled NSM analyst
  • Provides thorough hands-on coverage of Snort, Suricata, Bro-IDS, SiLK, and Argus
  • Loaded with practical examples containing real PCAP files you can replay, and uses Security Onion for all its lab examples
  • Companion website includes up-to-date blogs from the authors about the latest developments in NSM


Information security practitioners, network administrators, computer system administrators, IT professionals, NSM analysts, forensic analysts, incident responders, and an academic audience among information security majors.

Table of Contents

  • Dedication


    About the Authors

    Chris Sanders, Lead Author

    Jason Smith, Co-Author

    David J. Bianco, Contributing Author

    Liam Randall, Contributing Author





    Concepts and Approach

    IP Address Disclaimer

    Companion Website

    Charitable Support

    Contacting Us

    Chapter 1. The Practice of Applied Network Security Monitoring


    Key NSM Terms

    Intrusion Detection

    Network Security Monitoring

    Vulnerability-Centric vs. Threat-Centric Defense

    The NSM Cycle: Collection, Detection, and Analysis

    Challenges to NSM

    Defining the Analyst

    Security Onion


    Section 1: Collection

    Chapter 2. Planning Data Collection


    The Applied Collection Framework (ACF)

    Case Scenario: Online Retailer


    Chapter 3. The Sensor Platform


    NSM Data Types

    Sensor Type

    Sensor Hardware

    Sensor Operating System

    Sensor Placement

    Securing the Sensor


    Chapter 4. Session Data


    Flow Records

    Collecting Session Data

    Collecting and Analyzing Flow Data with SiLK

    Collecting and Analyzing Flow Data with Argus

    Session Data Storage Considerations


    Chapter 5. Full Packet Capture Data





    Choosing the Right FPC Collection Tool

    Planning for FPC Collection

    Decreasing the FPC Data Storage Burden

    Managing FPC Data Retention


    Chapter 6. Packet String Data


    Defining Packet String Data

    PSTR Data Collection

    Viewing PSTR Data


    Section 2: Detection

    Chapter 7. Detection Mechanisms, Indicators of Compromise, and Signatures


    Detection Mechanisms

    Indicators of Compromise and Signatures

    Managing Indicators and Signatures

    Indicator and Signature Frameworks


    Chapter 8. Reputation-Based Detection


    Public Reputation Lists

    Automating Reputation-Based Detection


    Chapter 9. Signature-Based Detection with Snort and Suricata




    Changing IDS Engines in Security Onion

    Initializing Snort and Suricata for Intrusion Detection

    Configuring Snort and Suricata

    IDS Rules

    Viewing Snort and Suricata Alerts


    Chapter 10. The Bro Platform


    Basic Bro Concepts

    Running Bro

    Bro Logs

    Creating Custom Detection Tools with Bro


    Chapter 11. Anomaly-Based Detection with Statistical Data


    Top Talkers with SiLK

    Service Discovery with SiLK

    Furthering Detection with Statistics

    Visualizing Statistics with Gnuplot

    Visualizing Statistics with Google Charts

    Visualizing Statistics with Afterglow


    Chapter 12. Using Canary Honeypots for Detection


    Canary Honeypots

    Types of Honeypots

    Canary Honeypot Architecture

    Honeypot Platforms


    Section 3: Analysis

    Chapter 13. Packet Analysis


    Enter the Packet

    Packet Math

    Dissecting Packets

    Tcpdump for NSM Analysis

    TShark for Packet Analysis

    Wireshark for NSM Analysis

    Packet Filtering


    Chapter 14. Friendly and Threat Intelligence


    The Intelligence Cycle for NSM

    Generating Friendly Intelligence

    Generating Threat Intelligence


    Chapter 15. The Analysis Process


    Analysis Methods

    Analysis Best Practices

    Incident Morbidity and Mortality


    Appendix 1. Security Onion Control Scripts

    High Level Commands

    Server Control Commands

    Sensor Control Commands

    Appendix 2. Important Security Onion Files and Directories

    Application Directories and Configuration Files

    Sensor Data Directories

    Appendix 3. Packet Headers

    Appendix 4. Decimal / Hex / ASCII Conversion Chart


Product details

  • No. of pages: 496
  • Language: English
  • Copyright: © Syngress 2013
  • Published: November 26, 2013
  • Imprint: Syngress
  • Paperback ISBN: 9780124172081
  • eBook ISBN: 9780124172166

About the Authors

Chris Sanders

Chris Sanders is a technology consultant, author, and trainer. Chris serves as senior information security analyst for the Department of Defense as contracted through EWA Government Systems, Inc. In this role Chris is responsible for the management of a team of intrusion detection system analysts examining public and classified networks. His book Practical Packet Analysis is widely respected as one of the best practical use books on its topic and has sold several thousand copies internationally. Along with this, Chris has written and co-written hundreds of articles on the topics centered on network security, packet analysis, intrusion detection, and general network administration. Chris also serves as a SANS mentor training students on intrusion detection in-depth and incident handling.

In 2008, Chris founded the Rural Technology Fund. The RTF is a 501(c)(3) non-profit organization designed to provide scholarship opportunities to students from rural areas pursuing careers in computer technology. The organization also promotes technology advocacy in rural areas through various support programs.

You can read more about Chris on his personal blog located at where he posts information regarding his latest projects as well as various technical articles and product reviews

Affiliations and Expertise

Senior Information Security Analyst at the DoD, Trainer, and Author

Jason Smith

Ratings and Reviews

Write a review

Latest reviews

(Total rating for all reviews)

  • SantiagoGimenez O. Sat Oct 27 2018

    Great book on important subject

    This book covers the most important topics within network security monitoring. It’s concepts are easy to understand and relevant to the field.