Understanding NSM Tools and Data Flashcards
1
Q
Session Data
A
- Summary data of network conversations.
- Who talked with whom and when.
- Examining session data is similar to a detective examining a phone bill.
- Session Data is based on IP 5-tuple.
2
Q
Full Packet Capture
A
- Records all Network Traffic; packet by packet at specific network locations.
- Data is written to disk, commonly in PCAP format.
- Examining Full packer captures is similar to a detective reviewing a wiretap information.
- Details exactly what was communicated.
- Also known as full content data
3
Q
Transaction Data
A
- Transaction Data lies between session data and full packet capture.
- Captures The Details that are associated with requests and responses.
4
Q
Alert Data
A
- Typically produced by IPS Systems.
- Alerts are generated when certain traffic matches certain conditions for which the IPS is configured to respond.
- Alert data highly depends on how well the IPS is tuned.
- Even well tuned IPS will generate false positives
- Alerts are automated judgment calls made by an engineered tool.
5
Q
Statistical Data
A
- NSM data collected over time, the data can be processed to produce statistical data.
- Statistical data collected over time produces baselines. Baselines define what is normal. Baselines should be collected long enough intervals to include deviations.
6
Q
Metadata
A
- Metadata is Data about data.
- can be used to augment the NSM data that the SOC directly collects.
- Geolocation data, reputation scores, and ownership of IP addresses.