Module 25 Network Security Data Flashcards
What are some network security monitoring tools?
Snort, Sguil
What is an example of a network IDS?
Snort
What is alert data?
Messages generated by intrusion prevention systems or intrusion detection systems in response to traffic that violates a rule or matches a signature of an exploit
How are alerts generated?
Generated by Snort (NIDS), and made readable by Sguil and Squert applications.
How is session data recorded?
Record of a conversation between two end points.
Within this recorded data, what are the five tuples?
Source/Destination IP, Source/Destination port and the IP code for protocol in use
Why are packet captures important?
Contains the actual content of conversations, text of email messages, the HTML in web pages and the files that enter or leave the network.
How do we collect statistical data?
Cisco Cognitive Threat Analysis - finds malicious activity that has bypassed security controls by identifying traffic patterns.
What are some types of host logs
HIDS - event viewer - application logs, system logs, setup logs, security logs and command-line logs.
What is a system log?
These include events regarding the operation of drivers, processes and hardware
What is a setup log?
Installation of software, including windows updates
What is a security log?
These record events related to security, logon attempts and operations related to file or object management and access
What are application logs?
These contain events logged by various applications
What are command-line logs?
Attackers who have gained access, execute commands from the CLI rather than GUI.
What are some type of host logs? Event types
Error, Warning, Information, Success Audit, Failure Audit
What is a warning log?
Not necessarily significant but may indicate a future problem.
What is an error log
Event that indicates a significant problem such as loss of data or functionality.
What is an information log
Describes successful operation of an app, driver or service
How many distinct parts of a syslog message
3 - priority, header and msg
Describe the priority part of the syslog message
Two elements - Severity and Facility. Severity is a value (0-7), facility consists of sources that generated the message
What are the Syslog severity values?
0 - 7 (Emergency, Alert, Critical, Error, Warning, Notice, Informational and Debug
What is an emergency?
System is unusable
What is alert
Action must be taken immediately
What is critical?
critical conditions that should be corrected immediately and indicates failure in a system
What is error?
A failure that is not urgent
What is a warning?
An error that does not presently exist, but an error will occur in the future if IT IS NOT ADDRESSED
What is notice?
An event that is not an error, but it is unusual
What is informational
messages issued regarding normal operations
What is debug
Message of interest
How about server logs?
Server logs are an essential source of data for networking security monitoring.
What are two important file logs?
Apache webserver and Microsoft Internet Information Server (IIS)
All of these logs, server, network, etc - should be dumping into where? What type of central holding dump
SIEM - Security Information and Event Management. Provides real time reporting and long-term analysis of security events.
What are the main points SIEM hits on - providing a view of the enterprise network using the following functiosn
Log collection, normalization, correlation, aggregation, report and compliance
What is log collection
Events recorded from sources through the org
What is normalizaiton
This maps log messages from diff systems into a common data model enabling the org to connect and analyze related vents
What is correlation
Links logs from disparate systems or applicaitons
What is aggregation
This reduces the volume of event data by consolidating duplicate records
What is reporting
Presents the correlated, aggregated event data in real-time monitoring and long-time summaries.
What is a popular SIEM
Splunk
What is a popular packet analyzer?
Tcpdump
What does NetFlow do?
Provides an important set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, DoS monitoring capabilities and network monitoring
What other things does netflow do
It provides information about network users, applications, peak usage times and traffic routing. Records info about packet flow including metadata
What is AVC?
Cisco Application Visibility and Control system combines multiple technologies to recognize, analyze and control over 1000 applications.
What would be a type of AVC or application recognition?
NBAR2 (L3-L7)
What would be a metrics collection tool - bandwidth, usage, latency, etc/
Netflow
How about, collecting data and reporting on application performance?
Cisco Prime
How about. what control application can we use to maximize network performance?
QoS
What is the diff between port monitoring and application monitoring/
Port looks at port number, applications look at applications DUH. Data and ports vs data and apps.
What is the difference between cisco facility, severity and Mnemonic when it comes to a log
Cisco Facility would be like ASA or SYS, severity is like 5 or 4 or 3, etc. Mnemonic is config - text changed in the configuration
What does Cisco Umbrella do?
Offers a hosted DNS service that extends the capability of DNS to include security enhancements
