I spent the past week reading The Tao of Network Security Monitoring by Richard Bejtlich as part of my “study plan” for the GSE Lab. Fortunately, or unfortunately, take a train to work every day and that gives me 1.5 hours to do whatever I want to. This time allows me to read a 600+ page technical book cover to cover in a little over a week. I also have spent time building/playing with my GSE lab.
Since there are so many reviews of the book I will limit my review to only say Richard did an amazing job with this book and if you perform any type of Network Security Monitoring (NSM) this is a must read book. One of the great strengths of this book, is Richard discusses several NSM tools not covered elsewhere other then in passing. I am sure some of these tools will be covered in detailed in the GSE lab, so I plan on spending some time with the ones I am not intimated familiar with.
One tool mentioned in the book that I plan on spending time with is Sguil. According to the nsmwiki, Sguil is best described as aggregation system for network security monitoring tools. Major tools used by Sguil include:
- Snort/Barnyard
- Security Analyst Network Connection Profile (SANCP)
- Passive Asset Detection (PADS)
- p0f
- tcpflow
The great thing about studying Sguil for the GSE lab is all of the tools are discussed in the GSE pre-requisite classes. That fact alone makes Sguil a great tool to spend time with in the GSE lab. One thing I do know that is described as a down side to Sguil is the installation of it. I know a few articles discuss installing Sguil on Ubuntu 10.04 Long-Term Support (LTS), but I plan on writing up a procedure and posting on the blog within the next week.