Applied Network Security Monitoring: Collection, Detection, and Analysis

I just finished this, my first "blue team" read. I don't have anything to compare it to but, man -- I feel like everything I need to know is in it. It starts from the beginning and ends at the end and seems to tell you everything you need to know along the way. It's almost like a reference book. Find the subject your looking for and it will tell you everything you need to know to start searching online for help with your particulars. It's not a fun read, but it's thorough and very readable. Recommended read for whatever reason you're looking at defensive security.

I can tell it's a good book, however, not friendly to beginners. Very early on in the book it states that it doesn't teach networking basics. Should've known better, but definitely not downgrading the book! Just a personal mistake that I made and I don't want you to do the same!

Chris Sanders knows his stuff. This is by far one of the best books I've read on this subject. Very thorough and indepth yet presented in a way that makes it easy to grasp the material. You will have a firm grasp of network security monitoring after reading this book.

The good: Applied NSM is a good book to read to learn about this topic. The author knows his stuff, and he's a pretty good teacher. Technical terms are defined before they're used, so you won't get lost. Everything is approached step-by-step, you won't run into the Draw An Owl Meme (google it) problem. Also the text is comprehensive, important topics are not left out. Who the book is written for: I'm a network administrator with over a decade of experience, I manage a decent sized network by myself, and wanted more knowledge about this area of network security. The book is more aimed at, "I have a beginners level knowledge of networks and I want to get hired somewhere where my job title is "Network Security Analyst". So the explanations are woven with the thread of a team in mind, but not in a way that detracts from your ability to learn if you're a lone wolf. The bad: I wish I could give the book 4.5 stars. The only problem I ran into is that for my taste, which is borne out of decades of reading technical documentation, the author is a bit long winded. It's not terse enough. Explanations that could be offered in one short sentence are drawn out into a paragraph. I suppose this is good if you're a complete beginner, but it made the text a big of a slog for me, and I found myself skipping first paragraphs and then pages. For example, suppose I wanted to communicate to you this brief and technical point: "The lsof command prints a list of open files, the -i argument lists network connections." The author would render that into this: "Various commands are able to display the current status of the computer. From time to time, users may want the ability to view which files on the computer are open and which files are not. Fortunately, the computer provides a tool that is able to do this. If you want to view open files on the computer, for example, you can use the lsof command, which is typed into your terminal. The lsof command provides various options as well in order to change its output. For example, -i is one of the available options. -i allows lsof to view the activity of the network interface in the form of active and listening connections." Overall, though, if you're a beginner and you want knowledge on this topic, this book will give it to you.

Most enterprises split (as covered in the book) NSM into tiers up to three. This book will assist anyone just getting in the field and help with foundational processes to unlock tier 2. Coverage of monitoring tools is spot on and does a decent job of proposing monitoring strategies. The book recommends good habits such as keeping an analyst journal and takes the perspective of an operator in the trenches. Would have liked to read about some novel approaches that leverage monitoring or, techniques to automate the most routine tasks but overall the book is an excellent desktop reference and guidance to NSM by analyst, for analyst.

This is the book that started it all for me. If you are an MSSP and you are trying to get the hang of the whole security thing this books is for you. While content is somewhat outdated this book teaches you how to think and how to get you SOC going. Highly recommended.

A must read for everyone working (or planning to work) to protect an operational network. Filled with practical advice in building fundamental skills and solutions in environments with constrained budgets.

Highly recommended! Applied NSM should be in every security professional's bookshelf. Not only does it cover effective security monitoring methodologies and best practices, but walks you through from tool selection, installation, configuration, and maintenance. Overall, the book is very well written and carefully articulated; it almost leaves you without having to question or second guess the information provided. It just makes sense!

Disclaimers: I’m a long time NSM practitioner and I work with Smith & Bianco. Chris was gracious enough to provide me with a PDF copy of the book for review. - - - - Applied NSM is a powerhouse of practitioner knowledge. Divided into three primary sections (Collection, Detection, & Analysis) ANSM focuses on the key staples necessary for establishing a successful NSM program and how to get up and running. The book weighs in at an impressive 465 pages (including appendixes). However, depending on the readers familiarity with NSM and exposure to other related works on the subject, there could be some overlap. The areas I found most valuable that contributed new concepts to my “NSM library" included: Chapter 2’s discussion on the Applied Collection Framework Chapter 4’s coverage of SiLK for analysis of flow data Chapter 6’s coverage of LogStash and Kibana Chapter 10’s coverage on Bro Chapter 11’s coverage on Anomaly based detection via SiLK tools Appendix 3 makes for a handy desk side reference if you work with raw packet captures on a daily basis. For these sections alone, ANSM makes it well worth the purchase and addition to your collection. Speaking of which, all of the proceeds from this book go to several charities, and after having initially reviewed it for free, I still decided to purchase a copy on Kindle to have as a desk side reference and support such great causes. Great job guys!

I purchased this book as part of a high level network monitoring project that I am working on within the Healthcare sector. This book was outstanding, if you want to learn about collection, detection and analysis of applied network security monitoring, this is the book for you. The content was outstanding, However I do have readers some advance warning. Please understand the basic dynamics of networking. This means please know the following Microsoft products, Cisco products etc. All the key important things a System Admin or Network Admin should already know. Please understand how to segment a network. Overall I found this book outstanding, I started reading the book when I received it. I am half way through the book, and thus far I like what I am reading. Great job.

I just finished this, my first "blue team" read. I don't have anything to compare it to but, man -- I feel like everything I need to know is in it. It starts from the beginning and ends at the end and seems to tell you everything you need to know along the way. It's almost like a reference book. Find the subject your looking for and it will tell you everything you need to know to start searching online for help with your particulars. It's not a fun read, but it's thorough and very readable. Recommended read for whatever reason you're looking at defensive security.

I can tell it's a good book, however, not friendly to beginners. Very early on in the book it states that it doesn't teach networking basics. Should've known better, but definitely not downgrading the book! Just a personal mistake that I made and I don't want you to do the same!

Chris Sanders knows his stuff. This is by far one of the best books I've read on this subject. Very thorough and indepth yet presented in a way that makes it easy to grasp the material. You will have a firm grasp of network security monitoring after reading this book.

The good: Applied NSM is a good book to read to learn about this topic. The author knows his stuff, and he's a pretty good teacher. Technical terms are defined before they're used, so you won't get lost. Everything is approached step-by-step, you won't run into the Draw An Owl Meme (google it) problem. Also the text is comprehensive, important topics are not left out. Who the book is written for: I'm a network administrator with over a decade of experience, I manage a decent sized network by myself, and wanted more knowledge about this area of network security. The book is more aimed at, "I have a beginners level knowledge of networks and I want to get hired somewhere where my job title is "Network Security Analyst". So the explanations are woven with the thread of a team in mind, but not in a way that detracts from your ability to learn if you're a lone wolf. The bad: I wish I could give the book 4.5 stars. The only problem I ran into is that for my taste, which is borne out of decades of reading technical documentation, the author is a bit long winded. It's not terse enough. Explanations that could be offered in one short sentence are drawn out into a paragraph. I suppose this is good if you're a complete beginner, but it made the text a big of a slog for me, and I found myself skipping first paragraphs and then pages. For example, suppose I wanted to communicate to you this brief and technical point: "The lsof command prints a list of open files, the -i argument lists network connections." The author would render that into this: "Various commands are able to display the current status of the computer. From time to time, users may want the ability to view which files on the computer are open and which files are not. Fortunately, the computer provides a tool that is able to do this. If you want to view open files on the computer, for example, you can use the lsof command, which is typed into your terminal. The lsof command provides various options as well in order to change its output. For example, -i is one of the available options. -i allows lsof to view the activity of the network interface in the form of active and listening connections." Overall, though, if you're a beginner and you want knowledge on this topic, this book will give it to you.

Most enterprises split (as covered in the book) NSM into tiers up to three. This book will assist anyone just getting in the field and help with foundational processes to unlock tier 2. Coverage of monitoring tools is spot on and does a decent job of proposing monitoring strategies. The book recommends good habits such as keeping an analyst journal and takes the perspective of an operator in the trenches. Would have liked to read about some novel approaches that leverage monitoring or, techniques to automate the most routine tasks but overall the book is an excellent desktop reference and guidance to NSM by analyst, for analyst.

This is the book that started it all for me. If you are an MSSP and you are trying to get the hang of the whole security thing this books is for you. While content is somewhat outdated this book teaches you how to think and how to get you SOC going. Highly recommended.

A must read for everyone working (or planning to work) to protect an operational network. Filled with practical advice in building fundamental skills and solutions in environments with constrained budgets.

Highly recommended! Applied NSM should be in every security professional's bookshelf. Not only does it cover effective security monitoring methodologies and best practices, but walks you through from tool selection, installation, configuration, and maintenance. Overall, the book is very well written and carefully articulated; it almost leaves you without having to question or second guess the information provided. It just makes sense!

Disclaimers: I’m a long time NSM practitioner and I work with Smith & Bianco. Chris was gracious enough to provide me with a PDF copy of the book for review. - - - - Applied NSM is a powerhouse of practitioner knowledge. Divided into three primary sections (Collection, Detection, & Analysis) ANSM focuses on the key staples necessary for establishing a successful NSM program and how to get up and running. The book weighs in at an impressive 465 pages (including appendixes). However, depending on the readers familiarity with NSM and exposure to other related works on the subject, there could be some overlap. The areas I found most valuable that contributed new concepts to my “NSM library" included: Chapter 2’s discussion on the Applied Collection Framework Chapter 4’s coverage of SiLK for analysis of flow data Chapter 6’s coverage of LogStash and Kibana Chapter 10’s coverage on Bro Chapter 11’s coverage on Anomaly based detection via SiLK tools Appendix 3 makes for a handy desk side reference if you work with raw packet captures on a daily basis. For these sections alone, ANSM makes it well worth the purchase and addition to your collection. Speaking of which, all of the proceeds from this book go to several charities, and after having initially reviewed it for free, I still decided to purchase a copy on Kindle to have as a desk side reference and support such great causes. Great job guys!

I purchased this book as part of a high level network monitoring project that I am working on within the Healthcare sector. This book was outstanding, if you want to learn about collection, detection and analysis of applied network security monitoring, this is the book for you. The content was outstanding, However I do have readers some advance warning. Please understand the basic dynamics of networking. This means please know the following Microsoft products, Cisco products etc. All the key important things a System Admin or Network Admin should already know. Please understand how to segment a network. Overall I found this book outstanding, I started reading the book when I received it. I am half way through the book, and thus far I like what I am reading. Great job.

Solid book for anyone who wants to build a network security program.

This book has everything you need! Every tool, every code example. I wish I could get a PDF copy!

I got this book a while ago and read first couple chapters and thought it was too easy, abstract and non-techinical. I assumed everything in this book is like that and boy, was I wrong. I actually read this book after I failed two incident response interviews and I realized that only if I had read this before I might have done better on the interviews. I'm not saying I could have got the job but I could have failed less miserably. Overall a really good book for people who have the basic networking knowledge, know some hex, binaries to do some packet analysis. If you are familiar with some packet capture tools or even NIDs that's an added advantage. If you are not familiar with computer networking then I would strongly suggest reading a networking book before you read this book, otherwise you will be lost. P.S. I really loved the chapter on Bro IDS.

If you are currently practicing network security monitoring or considering getting in to this field you should read this book. The depth and breadth of this text walks you through the establishment of an NSM capability through the staffing of a SOC and the processes one should consider implementing to run a successful NSM practice. All the examples in the text are accompanied by a practical demonstration utilizing Security Onion which is a self contained NSM environment which has been successfully implemented in numerous enterprises. The books covers the technical aspects of NSM without sacrificing the management aspect of running an NSM. Additionally, incident responders will also find value in this text. It includes topics related to post event log analysis as well is the use of netflow data in the day to day operation of NSM. If you practice NSM, manage a SOC or are just curious, this is the book to read.

Here's what you need to know about Applied NSM. 1. It's an amazingly easy read. Those of us who have ever been forced into digesting anything ever published by Cisco Press know easy to read textbooks are diamonds in the rough. It's clear the authors of Applied NSM went to great lengths to be as technically thorough as possible while maintaining an easy, entertaining and conversational tone throughout the book. It's the anti "Makes Me Want To Bash My Face Into My Desk Just To Stay Awake" book. 2. The right tool for the job but... The goal of any analyst is simple but crucial, find evil by any means necessary. To that end you need better weapons than your adversary. In this book Security Onion is your arsenal and the authors perform a deep dive into all wonderful toys Security Onion has to offer. The tools listed within the pages of this book are your ticket to a better way to find the badness lurking on your clients network. That being said... 3. ...tools alone will not save you and the authors know it. Of all the weapons at your disposal in the never-ending hunt for evil, unequivocally the most important is that big spongy thing between your ears. This book isn't just a stack of man pages with a fancy cover thrown on, it provides valuable insight and guidance to aid your own unique thought process and hunting style. On that topic, a special note... 4. Get your mind right. Chapter 15 "The Analysis Process" should be required reading for both every newbie working in a SOC and every jaded veteran. This chapter could be it's own book and if I have any complaint about Applied NSM it's that this chapter wasn't long enough for me. It's so absolutely crucial I recommend you read it first, then read it again. If you buy the book for no other reason, buy it for Chapter 15. So that's it, whether you're a n00b looking to find his footing in this industry or a battle tested warrior looking for new ways to catch the bad guys, Applied Network Security Monitoring is an absolute must have. Good hunting!

Well written.

I've been doing NSM on/off for the past 2-3 years, and about 50% of the material in this book was new to me. Gives a solid foundation to just about every aspect of NSM, anyone looking to start in this field or if your already in it, I would recommend this book. A few mistakes here and there, but nothing you can't read past.

Very easy to read and follow. Tools are covered in detail with good examples. Analysis section is good but I would have liked more. Would recommend to friends working in a SOC

One of the most attention holding technical books I have ever read. Would recommend getting another book from this guy. It's not just the how tos and technical stuff, but goes into detail on the hows and whys of your tools and various network topographies in relation to optimal monitoring. Also covers things from a management perspective and how to justify the tools, placement and other factors in planning your NSM course of action.

I have been looking for some reference material to help me with the ins and outs of security monitoring. Great book, easy read. Although I wouldn't recommend it for the IT beginner as some practical hands-on experience would be required for the type of work that is outlined. I would recommend it for anyone supporting or even contemplating a NSM solution. Chris....great job! I like the technical level of your writing it keeps the reader engaged and doesn't me to sleep. C.Will

Great product! This is something that quality is a must and it was provided. Will buy again! Right price, fast service!

book is brand new like the seller described it. no bends/dirts or nothing.

This book is great it gets you up and running on some great concepts, Seller was awesome to deal with.

Good book, easy read and very informative!

Covers some of the open source tools essential for analysis. Suggest this book anyone who moving on to Analyst role

Great book to reference

Some of Applied Network Security Monitoring will be very familiar to anyone who has read any other security book–I’ve read many times that risk equals impact times probability. Every book on this topic needs this information, however, and Sanders and company cover it in sufficient detail to ground a probie while letting the rest of us easily skim it as a refresher. Then they take us through selecting data collection points and how they make decisions on where to collect data and what kind of data to collect. Ideally, of course, you collect full packet data everywhere, but in my semi-rural gigabit ISP world I don’t have enough electricity to spin that much disk. Where can you get by with session data, and where do you need full packet capture? ANSM takes you through the choices and the advantages and disadvantages of each, along with some guidance on the hardware needs. Data is nice, but it’s what you do with the data that makes security analysis interesting. ANSM uses Security Onion as an underlying toolkit. Security Onion is huge, and contains myriad tools for any given purpose. There’s reasons for this–no one NSM tool is a perfect fit for all environments. ANSM chooses their preferred tools, such as Snort, Bro, and SiLK, and takes you through configuring and using them on the SO platform. Their choices give you honeypots and log management and all the functionality you expect. Throughout the book you’ll find business and tactical advice. How do you organize a security team? How do you foster teamwork, retain staff, and deal with arrogant dweebs such as yours truly? (As an aside, ANSM contains the kindest and most business-driven description of the “give the arrogant guy enough rope to hang himself” tactic that I have ever read.) I’ve been working with the business side of IT for decades now, and ANSM taught me new tricks. The part of the book that I found most interesting was the section on analysis. What is analysis, anyway? ANSM takes you through both differential analysis and relational analysis, and illustrates them with actual scenarios, actual data. Apparently I’m a big fan of differential diagnosis. I use it everywhere. For every problem. Fortunately, Sanders and crew include guidelines for when to try each type of analysis. I’ll have to try this “relational analysis” thing some time and see what happens. Another interesting thing about ANSM is how it draws in lots of knowledge and examples from the medical field. Concepts like morbidity and mortality are very applicable to information technology in general, not just network security monitoring, and adding this makes the book both more useful and more interesting. Applied Network Security Monitoring is a solid overview of the state of security analysis in 2014, and was well worth my time to read. It’s worth your time as well.

Another outstanding PRACTICAL approach by Chris Sanders accompanied by Jason Smith this round. This book should be required reading for all intrusion analyst and those looking to develop a security monitoring program. The ACF mentioned in the book should be the standard for building a data collection architecture in my opinion. Organizations use the "everything and the kitchen sink" approach all to often (like let's throw everything into Arcsight) without looking at what they should really be collecting and defining out the results that should be achieved. I am also a strong believer and practitioner of the Threat Centric approach mentioned in the book. It seems the industry is turning in that direction and seeing threats for what they are instead of each falling into a neat category. It's the right approach and this book applies it in a practical manner that makes sense.

I've worked in the network security field for just shy of a decade now, and have supported three Network Security Monitoring operations since I first delved into the world of malicious packets and naive users. I really could've benefited from a book like this when I was still getting my feet wet. This book really is comprehensive - covering everything from relevant detection mechanisms that you're likely to find in any NSM environment to in-depth packet analysis at the byte level. Various tools are discussed and plenty of examples are given showing how to properly use them. If you've worked for a DOD SOC, you're likely to recognize some of the best practices espoused in the book; Sanders also takes some time to go into some DOD-specific nomenclature and classifications (think CJCSM 6510)--useful if you're a DOD cyber-warrior. As in his other book, Practical Packet Analysis, Sanders' tone is warm and engaging--which really helps when dealing with dry or headache-inducing topics such as analyzing session data with SiLK or converting hexadecimal to binary and decimal. I would recommend this book to anyone looking to either improve their own NSM skillset, or to someone in the process of standing-up a Network Security Monitoring team.

Great book! If you are totally new to the practice of NSM then all you need to get set up, capture some data and start doing some analysis is in here. If you are already doing some NSM work, then this will help you extend and expand into new areas. The authors focus on open source / free programs and utilities, so the only cost to start a IDS is some hardware and your time. I have been doing security for awhile, but not much focused intrusion detection before my current position. This book really helped "fill in the gaps" in my knowledge of NSM and give me a push in the right direction as far as using SiLK and a couple of the other tools. There is more then enough info to get started, but not to much that would be overly specific to a given setup, so it is still up to you to do a bit of research and dig deeper into the areas that the book introduces that you might want to use in your day to day work. You do need to have the basics of networking, security and TCP/UDP/IP down first, but they do a good job starting slow and building up. I read through the book pretty quickly to pick up the areas I want to work in more, and will continue to use it as a reference in my work.

I chose a five star because I believe the book provides junior and novice SOC personal alike; a well-rounded understanding of information security monitoring. Applied NSM provides background to adversarial motivations by identifying and mitigating threats that malicious actors may pose to an organization. I enjoyed the examples that are provided in order to drive home points that the authors convey. While providing a number of solutions to help shorten the kill-chain, the authors also explain some of the challenges that SOCs often see whether personal, technological and/or financial. While a small portion of the book is dedicated to the overall SOC program, the authors provide feedback that can be helpful for technical and leadership alike. The authors do a good job of providing a holistic view of SOC operations in order to help analysts understand how all of the components should come together. While shiny tools can make quick work of identifying potential threats, it does not do the analyst good if they cannot understand why. This books helps to fill the capability gap with use of open-source tool examples in order help provide the reader a better understanding of how the wheels spin. The authors cover a large amount of detail for setting up NSM systems, from PF-RING to data storage and retention. Lastly, I appreciate the inclusion of network flow, packet-string, and PCAP topics; the authors do a great job describing SiLK. Often organizations dismiss the capability and economics of netflow data. From an example perspective, Security Onion is their platform of choice, but the authors include a number of useful tool alternatives such as LogStash that may not exist or complement those in prebuilt distributions.

I was expecting this book to be pure torture. This is a rather dry subject but somehow the authors have managed to write a really great book. It's really very impressive. The area of Network Security Monitoring is vast and the learning curve very steep for anybody new to the field but this book is a great help. Chris is clearly a very capable analyst as well as a talented technical educator. I am about 50% through the book but I have learned a lot. Needs to be read in conjunction with Richard Bejtlich's book on the same subject but I have to recognize this book as the better of the two.

As someone looking to make a career shift into network security, I found this to be a great book. The book is well written, and the author, Chris Sanders, presents the material in a way that makes it easy to grasp and understand. So, why 4 stars and not 5? There were several typos throughout the book, including a couple that had me flipping back a few pages just to make sure I read the material correctly.

Update: I was contacted by the authors who were very kind and receptive to my review. Mistakes and all be documented at [...] w w w dot applied nsm dot com forward-slash errata. Also, note that 100% of author royalties will go to charity. -- I'm dividing this review into sections which focus on the good, bad, and the potential improvements. For brevity and time I will comment with a simple sentence or two and then provide examples to justify my claims. I will preface my review by saying that I've read just about all, if not all, NSM books on the market, and I work with many of these tools daily. The Good: 1. Easy to read and clear 2. Many tools are covered here that are rarely mentioned at all in other NSM books e.g. CIF, SiLK, Bro, Justniffer, Netsniff-NG 3. Section on writing Snort rules was very good w/ detailed examples of keywords and modifiers 4. At the time of writing, the best coverage on Bro available in a book. Highlights, - Adding fields to logs - Taking advantage of intelligence data with the Intel Framework - Using the File Analysis framework e.g. extracting and writing files to disk - Working with the Notice framework, including an explaination of hooks 5. The SiLK chapter was very good because it provides a large number of useful query examples that can be applied to your network with little modification. Also, the addition of a few graphing and plotting examples was novel. 6. The packet math section in the Packet Analysis chapter is something every good introductory NSM book should have and most, if not all, are lacking. 7. Easy to follow along with SecurityOnion, and where the tools are not included in the distribution e.g. SiLK, a how-to for installing them is given. The Bad: Some grammar mistakes and typos. Pg. 55 - Last paragraph, comma aligned incorrectly, "The three most common vendors ,from most to least expensive, are..." Pg. 71 - First paragraph typo, "In most instances, your sensor should not have unfettered Interner access" Pg. 105 - First paragraph, "utilities" should be singular. "In our testing, Netsniff-NG is the best performing FPC utilities in this book when it comes to high throughput links." Inadequate: In Chapter 5 (FPC), I felt that there was too much of listing usage options for each tool. Nearly half a page was given to these sections which closely resemble the usage output of ``-h'', ``--help'', or the tool's manual page. They were not identical because the author added an annotation here or there are shortened the usage statement. Technical errors: Pg. 94 - Second paragraph says that argus' ra uses BPF. "...you'll probably find yourself making basic queries using only a read option with a Berkeley Packet Filter (BPF) at the end." The argus daemon uses the high-level BPF expressions available from libpcap but ra (Read Argus) uses its own filter expressions *based* on libpcap's high-level BPF syntax. This adaptation provide primitives for flow based expressions rather than packet based expressions. It is also not the same thing as libpcap's high level syntax, and this point is especially important for the book because more advanced BPF expressions like those explained in the Packet Analysis chapter will not produce the desired results with ra e.g. 'tcp[13] = 2'. Pg. 101 - Third paragraph, "This command will begin capturing packets and writing them to a randomly named file in the current working directory,..." Command given, "dumpcap -i eth1". In Linux, dumpcap writes to /tmp if the ``-w'' option is not used. On OSX, it will write to /var/folders. The filename, on Linux, for the example given by the author, is not random but of the format wireshark_$int_$timestamp_$uuid. Since tshark and wireshark call dumpcap to perform packet capture on their behalf, the unique file names dumpcap creates are used by the calling program. Pg. 115 - Last paragraph, incorrect explanation of find command. Command given, "find /data/pcap -type f -mtime +60" Quote, "...in order to find files older than 60 minutes within the /data/pcap directory, simply run the following command;" The command given by the author will find on days, the default for -mtime, not minutes. The -mmin option is used to work on minutes e.g. "find /data/pcap -type f -mtime +60" Pg. 165 - Third paragraph, awk is not given an argument to its -F option, this command will err. "grep 7100031 master_ioc_list.csv | grep sid | awk -F '{ print $11 }'" Pg. 187 - Output file should be mdl.domainlist.set, not mdl.iplist.set. The name doesn't match command. "Here, we provide rwsetbuild with the name of the input file, and the name of the output file, which is mdl.domainlist.set:" Command text given, "rwsetbuild mdl.iplist mdl.iplist.set" Pg. 187 - Inconsistent and incorrect usage of SiLK options --start-date and --end-date. "rwfilter -start-date=$start -end-date=$end ..." In the command text above the two options are missing the second dash (--start-date) In other examples, the double dashed GNU long options form are used, this example deviates. Pg. 380 - Fourth paragraph, incorrect explanation of BPF filter. "This expression will match any packet with only the TCP RST bit set" Expression given, "tcp[13] & 0x04 = 4" Because the binary AND (&) is introduced, the BPF expression will match any TCP segment who's code flags have at *least* the RST bit set e.g. it will match an odd packet with both the SYN and RST bit set. Command typesetting: Note: This is a problem with the publisher. At times it not easily discernable whether a command, option, or argument is seperated by a space. Two other examples: the pipe character is much larger than any of the other command text and makes, in my opinion, the command text look uneven and visually odd, the same reasoning can be applied to the hash character, or pound, which also looks alien and out of place. Clarifications, Improvements, and Misc: Pg. 56 - Performance unclear, depends on how much data e.g. 1Gb and 10Gb can be done. "The traditional Linux network socket buffer is not suited to high performance traffic analysis". The mmap'd PF_PACKET kernel sockets are comparable in performance to PF_RING in transparent mode 0 which is what SecurityOnion uses. The Linux kernel also offers a socket option called PACKET_FANOUT that allows the distribution of flows across sockets like PF_RING does for load balancing. I don't know of any NSM tool that is taking advantage of it yet. It was only recently documented. Pg. 104 - One of the things that sets netsniff-ng apart from other sniffers is its offering of multiple I/O methods i.e. write, scatter-gather, and mmap. I think this could be added as a reason. Pg. 104 - It's important to note that Libpcap uses the same memory mapped RX and TX rings that netsniff-ng uses. Thus, all the libpcap based tools will use them. Performance advantages result from other reasons e.g. SG I/O, small code foot print. Another example is that Netsniff-NG uses the newer TPACKET_V3 packet structure whereas Libpcap still uses V2 but the tcpdump.org devs are currently working on implementing TPACKET_V3. TPACKET_V3 performs better on small packets at high speed. Pg. 194 - Possibly unclear, "This is done by editing /etc/nsm/sensor_name/snort.conf and uncommenting this line:" I can see where this may be unclear to a new SecurityOnion user that they must replace sensor_name with $HOSTNAME-$INT. Pg. 217 - Suricata is not covered in Port Variables section, only snort. Suricata is covered in the IP Variables section before and in the subsection of Defining Rule Sets along with Snort. Why the absence in Port Variables? I feel that leaving this out makes the section incomplete. Would I recommend this book to others? Yes.

Chris provides a good understanding of the challenges of monitoring a network for security events. The chapters are filled with details on configuring Snort rules and Bro. Well worth the time to read.

I was really impressed with the content and quality of this book. I've recommended it to my colleagues and expect to reach for it as reference material over the next few years.

I was like "What skills should I develop?"... And my buddy was like "I just read this great book, you should check it out"... So, I did... Great read, would highly reccomend for anyone interested in the field.

The book gives a very clear overview of Network Security Monitoring and the various tools that are available. The author gives a lot of tips