Network Security Monitoring

🔥 Vibe Prompt

"Set up network monitoring: Zeek (Bro), Suricata, and Security Onion."

Zeek (formerly Bro)

# Install
sudo apt install zeek

# Config: /opt/zeek/etc/node.cfg
[zeek]
type = standalone
interface = eth0

# Default scripts cover:
# - HTTP, DNS, SSL, SMTP, SSH, FTP
# - Conn.log (all connections)
# - Files (extracted via HTTP, SMTP)

# Run
zeekctl deploy

Zeek Log Analysis

# Top talkers (by connection count)
cat conn.log | zeek-cut id.orig_h | sort | uniq -c | sort -nr | head -10

# Detect scanning
cat conn.log | zeek-cut id.orig_h id.resp_p proto | \
  awk '$3 ~ /tcp/' | cut -d' ' -f1 | sort | uniq -c | \
  awk '$1 > 100' | sort -rn

# SSL certificate anomalies
cat ssl.log | zeek-cut server_name cert_subject | \
  grep -v "Let's Encrypt" | grep -v "CloudFlare"

Suricata IDS/IPS

# Install and configure
sudo apt install suricata

# Download Emerging Threats rules
sudo suricata-update update-source oisf
sudo suricata-update

# Run
sudo suricata -c /etc/suricata/suricata.yaml -i eth0

# Check alerts
tail -f /var/log/suricata/fast.log
# 05/15/2024-14:32:10.123456  [**] [1:2024210:3] ET EXPLOIT Apache Log4j RCE [**]

Security Onion (Full Platform)

# Boot ISO → follow wizard
# Automatically sets up:
# - Zeek (network logs)
# - Suricata (IDS alerts)
# - Elasticsearch + Kibana (visualization)
# - TheHive (incident management)
# - Playbooks (automated response)

sos-admin status
# Shows all running services

Key Metrics to Monitor

| Metric | Tool | Alert | |--------|------|-------| | New connections/sec | Zeek | >10000/s | | DNS queries (unique) | Zeek | >1000/min | | TLS certificate age | Zeek | <30 days | | IDS alerts | Suricata | Any | | Scan detection | Zeek | >100 ports/host | | DNS tunneling | Zeek | High entropy domains |

SIEM Integration

Zeek + Suricata → Logstash → Elasticsearch → Kibana (ELK)
                                            ↓
                                     Security Analyst

Network Security Course Complete! 🎉

  • ✅ Network Segmentation
  • ✅ Firewall & IDS/IPS
  • ✅ VPN & Remote Access
  • ✅ DDoS Protection
  • ✅ Monitoring

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials


為什麼要學網路監控與流量分析?

網路監控與流量分析 是 security-network 課程的核心章節之一。

在真實世界中

網路監控與流量分析 並不是課本上的理論——它在真實的軟體開發中頻繁出現。無論你是正在接案、準備面試,還是想要提升自己的技術深度,理解這個主題都能讓你直接受益。

你將從本章獲得

  • 🎯 完整的知識體系:從核心原理到實作細節,條理分明
  • 💻 可運行的程式碼:每段程式碼都是完整的,可直接執行
  • 🔍 除錯技巧:常見錯誤的分析與解決方案
  • 🚀 下一步指引:學完後該往哪個方向繼續深入

銜接下一章

本章為你建立了 網路監控與流量分析 的完整知識基礎。下一章將在此基礎上,帶你探索更進階的真實世界應用場景——你將學會如何將本章所學應用到更複雜的問題中。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!