Module 4: Network Traffic and Logs Using IDS and SIEM Tools

by
Contents hide
1 INTRODUCTION – Network Traffic and Logs Using IDS and SIEM Tools
2 TEST YOUR KNOWLEDGE: OVERVIEW OF LOGS
3 TEST YOUR KNOWLEDGE: LOG COMPONENTS AND FORMATS
4 TEST YOUR KNOWLEDGE: OVERVIEW OF INTRUSION DETECTION SYSTEMS (IDS)
5 TEST YOUR KNOWLEDGE: OVERVIEW OF SIEM TOOLS
6 MODULE 4 CHALLENGE
7 CONCLUSION – Network Traffic and Logs Using IDS and SIEM Tools
Spread the love

INTRODUCTION – Network Traffic and Logs Using IDS and SIEM Tools

Thus, the logs will play a crucial role in course participants in Intrusion Detection Systems and Security Information Event Management (SIEM). And course expository logs will let one know the logs as the critical understanding of threat detection related to how such systems perform their activities of detection and response to possible security breaches. The course entails an in-depth analysis of how that methodology is put into effect in both cases, and more importantly, it tries to shed light on how the capabilities of an IDS and SIEM system lie in the prevention and detection of cyber threats.

The above will be able to allow the learners a little better exposure to the best of IDS and SIEM products available in the industry and set them up for success with tools and techniques that are market standard in securing and protecting digital environments. Theoretical concepts are accompanied by practical elements such as guiding participants in drafting simple IDS rules-the application that ensures learners acquire skills to apply what they have learned rather than just understanding the basic theory with which IDS and SIEM have been introduced. All in all, this module will act as a major step towards understanding the orientation of log analysis and intrusion detection for these participants within modern practices in the field of cybersecurity.

Learning Outcomes:

  • Discuss the importance of logs during incident investigation.
  • Determine how to read and analyze logs during incident investigation.
  • Describe how common intrusion detection system (IDS) tools provide security value.
  • Interpret the basic syntax and components of signatures and logs in IDS and NIDS tools.
  • Describe how SIEM tools collect, normalize, and analyze log data.
  • Perform queries in SIEM tools to investigate an incident.

TEST YOUR KNOWLEDGE: OVERVIEW OF LOGS

1. What is the primary purpose of logs during incident investigation?

  • To identify and diagnose system issues
  • To manage alert volumes
  • To provide a record of event details (CORRECT)
  • To improve user experience

Adequate logging behind an incident provides an extensive account of the events. By understanding what happened on systems, networks, and devices, security analysts are better able to identify the aberrant or malicious activities.

2. A security analyst wants to determine whether a suspicious login was successful. Which log type would be most useful for this purpose?

  • Firewall
  • System
  • Authentication (CORRECT)
  • Network

Such a record is called an authentication log since it contains not just details of login attempts but whether they ended in success or in failure. The above information helps security analysts pin down probable unauthorized access and identifying suspicious patterns of login behavior.

3. In the following log, what action does the log entry record?

[ALLOW: wikipedia.org] Source: 192.167.1.1 Friday, 10 June 2022 11:36:12

  • Friday, 10 June 2022 11:36:12
  • Source
  • 192.167.1.1
  • ALLOW (CORRECT)

ALLOW is the activity recorded about allowing access to wikipedia.org.

4. Fill in the blank: _____ is the process of examining logs to identify events of interest.

  • Log forwarder
  • Log file
  • Logging
  • Log analysis (CORRECT)

Log analysis consists of collecting and reviewing logs to determine events typically described as oddities or bugs, which may suggest a possible security incident or breach.

TEST YOUR KNOWLEDGE: LOG COMPONENTS AND FORMATS

1. Examine the following authentication log:

[2022/12/20 08:20:38.921286] User nuhara logged in successfully

What type of information does this log contain? Select two answers.

  • Syslog
  • Message ID
  • Timestamp (CORRECT)
  • Event description (CORRECT)

This log contains a time stamp, as indicated in the date- 2022/12/20 08:20:38.921286. Along with longitudinal timestamps in the logs, logging the details of the events in it, is recording that the user “nuhara” has successfully logged in.

2. Which of the following capabilities can syslog be used for? Select three answers.

  • Service (CORRECT)
  • Log format (CORRECT)
  • Extension
  • Protocol (CORRECT)

Syslog is a standard for logging and retransmitting data and can be used as a protocol, service, or log format. It enables the collection and management of log data from a wide variety of peripheral equipment.

3. What are examples of log formats? Select three answers.

  • eXtensible Markup Language (XML) (CORRECT)
  • Gramm-Leach-Bliley Act (GLBA)
  • Common Event Format (CEF) (CORRECT)
  • JavaScript Object Notation (JSON) (CORRECT)

To make log data structurally organized, Common Event Format (CEF), JavaScript Object Notation (JSON), and eXtensible Markup Language (XML) are among the different log formats used to make analysis and interpretation less difficult within the log messages.

4. Which log format uses tags to structure data?

  • Verbose
  • Comma Separated Values (CSV)
  • Syslog
  • eXtensible Markup Language (XML) (CORRECT)

XML is a log format that uses tags and other keys to structure data.

TEST YOUR KNOWLEDGE: OVERVIEW OF INTRUSION DETECTION SYSTEMS (IDS)

1. A security analyst uses a network protocol analyzer to capture HTTP traffic to analyze patterns. What type of data are they using?

  • Network telemetry (CORRECT)
  • Host-based
  • Signature-based
  • False positive

Collecting and transmitting the data of network telemetry, which is then used in the analysis, means collecting and transmitting network data, such as the HTTP traffic of such events. Signature-based detection is event detection based on signature matching a known pattern and by using signature that already defined for them.

2. Which statement accurately describes the difference between a network-based intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS)?

  • A NIDS uses signature analysis to detect threats; a HIDS uses agents.
  • A NIDS is installed on individual devices; a HIDS is installed on a network.
  • A NIDS only detects known threats; a HIDS detects unknown threats.
  • A NIDS is installed on a network; a HIDS is installed on individual devices. (CORRECT)

The NIDS collects and monitors network traffic and data to detect potential intrusions in the network. The HIDS is installed on a host, like a server or workstation, which monitors and analyzes the events on that specific host.

3. Fill in the blank: The _____ component of an IDS signature includes network traffic information.

  • signature ID
  • action
  • rule options
  • header (CORRECT)

An IDS signature also contains important header information in the form of relevant descriptions of network traffic. These include the source and destination IP addresses, source and destination ports, the protocols used, and traffic direction. This information will help in recognizing traffic patterns or in determining if certain behaviors are typically indicative of a security threat.

4. A security analyst creates a Suricata signature to identify and detect security threats based on the direction of network traffic. Which of the following rule options should they use?

  • Message
  • Content
  • Flow (CORRECT)
  • Rev

It should utilize the option called flow, which matches the direction of the network traffic flow. Such a choice would state if the traffic is incoming or outgoing. Detection of suspected behaviors on the basis of the traffic direction would become more specific as a result.

5. When monitoring activity, what specifies the rules used by an intrusion detection system (IDS)?

  • An alert
  • A signature (CORRECT)
  • An endpoint
  • A log

Signature defines the rule according to which an IDS monitors activity. As one of the most common forms of detection by IDS tools, signature analysis matches either network traffic or system behavior to preestablished signatures of malice-that is, known patterns of threat.

6. Which of the following is true when it comes to analyzing Suricata signatures?

  • The first field specifies the action. (CORRECT)
  • The message option inspects the content of a packet.
  • The rule options are enclosed in semicolons.
  • The arrows specify the severity of a threat.

An action can be specified by the first field in a Suricata signature: it will define how the system will respond to an event that matches the signature. Accepted actions include: alert, to generate an alert; drop, to block traffic; or pass, which ignores the traffic.

TEST YOUR KNOWLEDGE: OVERVIEW OF SIEM TOOLS

1. In Search Processing Language (SPL), which special character is a wildcard that can be used to substitute with any other character?

  • (CORRECT)
  • =
  • *
  • !=

In this way, the wildcard can be used to match unknown words as it will harmonize various sequences of characters for the search operation. This gives it greater freedom to match different possibilities.

2. Which of the following steps are part of the security information and event management (SIEM) process? Select three answers.

  • Normalize data so it is ready to read and analyze (CORRECT)
  • Collect and process data (CORRECT)
  • Index data to improve search performance (CORRECT)
  • Monitor activity and alerts related to intrusions

SIEM Working Process: The steps in SIEM include collecting and processing data, normalizing data, and indexing data. All the collected and processed data generated from the devices and systems across an environment can be monitored and analyzed centrally through SIEM tools. After collection of data, normalization took place for consistency before indexing for efficient querying and analysis.

3. Fill in the blank: Chronicle uses _____ to search through unstructured logs.

  • raw log search
  • metadata
  • entity search
  • unified data model (CORRECT)

There are several important steps that make up the SIEM process: collect and process data; normalize data; and index data. SIEM tools collect and process data generated by devices and systems across an environment, centralizing their monitoring and analysis of security events. After collection, data are normalized to ensure consistency and indexed for efficient querying and analysis.

4. Which of the following is Splunk’s query language?

  • UDM
  • SQL
  • SPL (CORRECT)
  • IDS

It is called Search Processing Language, or SPL, Splunk’s query language. SPL is a strong language that serves for searching, analyzing, and visualizing machine-generated data. Some of its features are the ability to create complex queries, filtration, arithmetic, report generation, and dashboard development based on the collected log data.

5. Which of the following steps are involved in the SIEM process for data collection? Select three answers.

  • Collect and process (CORRECT)
  • Search
  • Index (CORRECT)
  • Normalize (CORRECT)

The data collection into the SIEM involves Steps: Collection and processing, normalization, and indexing. Normalization is the step of changing raw data into a consistent format so that it can be read and analyzed more easily. This is the standardization of the data, removing all irrelevant information, and retaining only those details related to essential events for individual analysis.

6. Do specific queries improve the speed and relevance of SIEM search results?

  • No
  • Yes (CORRECT)

Targeted queries improve performance and relevance for SIEM searches by narrowing focus onto particular event(s), attribute(s), or pattern(s) of concern. This focused identification reduces the volume of data through which potential threats or incidents can quickly and accurately be identified.

7. Fill in the blank: Chronicle uses _____ to search through normalized data.

  • Structured Query Language (SQL)
  • Extensible Event Format JavaScript Object Notation (EVE JSON)
  • Unified Data Model (UDM) (CORRECT)
  • Search Processing Language (SPL)

Chronicle utilizes the Unified Data Model (UDM) to explore normalized data, with UDM specifying and structuring the data from different sources for optimal querying and analysis. UDM-regulating and organizing data into a standard format allows Chronicle to process and search through huge amounts of security data in a simple way for threat detection and investigations.

MODULE 4 CHALLENGE

1. What is the difference between a log and log analysis?

  • A log is a record of events that occur within an organization’s systems. Log analysis is the process of examining logs to identify events of interest. (CORRECT)
  • A log and log analysis both contain details of events, but they record details from different sources.
  • A log records details in log files. Log analysis involves a high-level overview of all events that happen on the network.
  • A log contains log file details. Log analysis involves the collection and storage of logs.

2. Fill in the blank: A syslog entry contains a header, _____, and a message.

  • structured-data (CORRECT)
  • tag
  • object
  • eXtensible Markup Language

3. What is the difference between a network-based intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS)?

  • Both NIDS and HIDS monitor systems and generate alerts, but a NIDS use agents.
  • A NIDS collects and monitors network traffic and network data. A HIDS monitors the activity of the host on which it is installed. (CORRECT)
  • A NIDS monitors the activity of the host on which it is installed. A HIDS uses signature analysis to analyze network activity.
  • A NIDS logs and generates alerts. A HIDS system monitors endpoint activity.

4. What are examples of common rule actions that can be found in signature? Select three answers.

  • Flow
  • Reject (CORRECT)
  • Pass (CORRECT)
  • Alert (CORRECT)

5. Which rule option is used to match based on the direction of network traffic?

  • content
  • flow (CORRECT)
  • sid
  • message

6. What is the difference between network telemetry and network alert logs?

  • Network telemetry is output in EVE JSON format; network alert logs are output in HTML.
  • Both provide information that is relevant for security analysts, but network alert logs contain network connection details.
  • Network telemetry contains information about network traffic flows; network alert logs are the output of a signature. (CORRECT)
  • Network telemetry is the output of a signature; network alert logs contain details about malicious activity.

7. Fill in the blank: The asterisk symbol is also known as a(n) _____.

  • label
  • option
  • wildcard (CORRECT)
  • Boolean operator

8. Which step in the SIEM process involves the processing of raw data into a standardized and structured format?

  • Index
  • Normalize (CORRECT)
  • Collect
  • Process

9. Examine the following log:

{
	“name”: “System test”,
	“host”: "167.155.183.139",
	“id”: 11111,
	“Message”: [error] test,
}

Which log format is this log entry in?

  • JSON (CORRECT)
  • Syslog
  • XML
  • CSV

10. Fill in the blank: _____ analysis is a detection method used to find events of interest using patterns.

  • Host
  • Network
  • Endpoint
  • Signature (CORRECT)

11. Which rule option is used to indicate the number of times a signature is updated?

  • sid
  • rev (CORRECT)
  • msg
  • tcp

12. Which type of log data does Suricata generate? Select all that apply.

  • Protocol
  • Alert (CORRECT)
  • Signature
  • Network telemetry (CORRECT)

13. Fill in the blank: Chronicle uses ______ to define detection rules.

  • SPL
  • SQL
  • YARA-L (CORRECT)
  • UDM

14. What are the steps in the SIEM process for data collection? Select three answers.

  • Index
  • Collect (CORRECT)
  • Unify
  • Normalize (CORRECT)

15. Examine the following log:

[2022/12/21 17:46:35.232748] NOTIFY: NetworkPropertiesUpdated: wifi_psk_13

Which type of log is this?

  • Location
  • Application
  • Network (CORRECT)
  • Authentication

16. What information is included in a signature’s header? Select all that apply.

  • IP address (CORRECT)
  • Action
  • Port number (CORRECT)
  • Protocol (CORRECT)

17. Examine this Suricata signature:

alert http 167.215.72.95 any -> 156.150.71.141 80 (msg:”GET on wire”; flow:established,to_server; content:”GET”; sid:12345; rev:2;)

What is the destination port?

  • 80 (CORRECT)
  • 2
  • 141
  • 12345

18. Fill in the blank: Suricata uses the _____ format for event and alert output.

  • HTML
  • HTTP
  • CEF
  • EVE JSON (CORRECT)

19. Which querying language does Splunk use?

  • Structured Processing Language
  • SIEM Processing Language
  • Search Processing Language (CORRECT)
  • Structured Querying Language

20. Which of the following refers to a record of events that occur within an organization’s systems?

  • Occurrences
  • Logs (CORRECT)
  • Log sources
  • Log forwarder

21. Consider the following scenario:

A security analyst at a midsized company is tasked with installing and configuring a host-based intrusion detection system (HIDS) on a laptop. The security analyst installs the HIDS and wants to test whether it is working properly by simulating malicious activity. The security analyst runs unauthorized programs on the laptop, which the HIDS successfully detects and alerts on.

What is the laptop an example of?

  • Compliance
  • Operational (CORRECT)
  • Technical (CORRECT)
  • Managerial (CORRECT)

22. Which symbol is used to indicate a comment and is ignored in a Suricata signature file?

  • Structured Processing Language
  • $
  • (CORRECT)
  • :

23. What is the method to search for normalized data in Chronicle?

  • UDM search (CORRECT)
  • Unified
  • YARA-L
  • Raw log search

24. What details do logs contain? Select all that apply.

  • Time (CORRECT)
  • Location (CORRECT)
  • Forwarder
  • Date (CORRECT)

25. Which type of Splunk query searches through unstructured log records?

  • Reference search
  • Index search
  • Raw log search (CORRECT)
  • UDM search

26. Which Unified Data Model (UDM) field search specifies a security action?

  • block
  • metadata.event_type
  • security_result.action (CORRECT)
  • action

CONCLUSION – Network Traffic and Logs Using IDS and SIEM Tools

Impedimenta, though, is a well put-together account wherein courses probe logs, Intrusion Detection Systems (IDS) and Security Information Event Management (SIEM) to give students a deep understanding of cyberspace laws. Through understanding the significance of logs as digital footprints and the workings of IDS and SIEM systems, participants master the art of generating an answer to the complex phenomena of threat detection and incident response. Such an introductory exposure to some of the best IDS and SIEM products, however, would surely help in adding value to the child as a practice on how to apply certain tools drawn from people’s lives in real time.

That has further been supplemented by the hands-on experience of developing basic IDS rules, which has not only practically saturated theoretical knowledge of IDS but also has effective organizing skills for an active player in ensuring safety in cyberspace. An important aspect for advancement in personal capacity on logarithmic influences-theoretical fire detection and response-this segment will become aligned with various efforts in enhancing the general broader cyberspace landscape within the theoretical as well as practical reach. This information will prepare candidates for the impact created by dynamic changes in digital security in future.

Leave a Comment