Network Security Monitoring
🔥 Vibe Prompt
"Set up network monitoring: Zeek (Bro), Suricata, and Security Onion."
Zeek (formerly Bro)
# Install
sudo apt install zeek
# Config: /opt/zeek/etc/node.cfg
[zeek]
type = standalone
interface = eth0
# Default scripts cover:
# - HTTP, DNS, SSL, SMTP, SSH, FTP
# - Conn.log (all connections)
# - Files (extracted via HTTP, SMTP)
# Run
zeekctl deploy
Zeek Log Analysis
# Top talkers (by connection count)
cat conn.log | zeek-cut id.orig_h | sort | uniq -c | sort -nr | head -10
# Detect scanning
cat conn.log | zeek-cut id.orig_h id.resp_p proto | \
awk '$3 ~ /tcp/' | cut -d' ' -f1 | sort | uniq -c | \
awk '$1 > 100' | sort -rn
# SSL certificate anomalies
cat ssl.log | zeek-cut server_name cert_subject | \
grep -v "Let's Encrypt" | grep -v "CloudFlare"
Suricata IDS/IPS
# Install and configure
sudo apt install suricata
# Download Emerging Threats rules
sudo suricata-update update-source oisf
sudo suricata-update
# Run
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
# Check alerts
tail -f /var/log/suricata/fast.log
# 05/15/2024-14:32:10.123456 [**] [1:2024210:3] ET EXPLOIT Apache Log4j RCE [**]
Security Onion (Full Platform)
# Boot ISO → follow wizard
# Automatically sets up:
# - Zeek (network logs)
# - Suricata (IDS alerts)
# - Elasticsearch + Kibana (visualization)
# - TheHive (incident management)
# - Playbooks (automated response)
sos-admin status
# Shows all running services
Key Metrics to Monitor
| Metric | Tool | Alert | |--------|------|-------| | New connections/sec | Zeek | >10000/s | | DNS queries (unique) | Zeek | >1000/min | | TLS certificate age | Zeek | <30 days | | IDS alerts | Suricata | Any | | Scan detection | Zeek | >100 ports/host | | DNS tunneling | Zeek | High entropy domains |
SIEM Integration
Zeek + Suricata → Logstash → Elasticsearch → Kibana (ELK)
↓
Security Analyst
Network Security Course Complete! 🎉
- ✅ Network Segmentation
- ✅ Firewall & IDS/IPS
- ✅ VPN & Remote Access
- ✅ DDoS Protection
- ✅ Monitoring
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials
網路監控:看不見的安全威脅
攻擊者可能已經在你的網路內部——你需要監控工具來發現異常行為。
監控工具
| 工具 | 功能 | |:----|:----| | Wireshark | 封包層級分析 | | Zeek(Bro) | 網路流量分析框架 | | Snort/Suricata | 入侵偵測系統(IDS) | | ELK Stack | 日誌分析與視覺化 |
課程總結
這堂網路安全課從基礎概念、防火牆/IDS、VPN、WAF 到監控——你現在可以設計一個多層防禦的企業網路架構。