Building Your NSM Sensor

Building Your NSM Sensor

This module builds the sensor that generates every piece of evidence you'll use from NF2 onward. By the end of this module, you'll have a Linux VM running Zeek and Suricata on a capture interface, producing the structured metadata logs that power the investigation methodology from NF0. You'll understand the Zeek log directory structure well enough to query any log file, and you'll have validated your sensor against test traffic to confirm it's capturing and parsing correctly.

The sensor you build here is permanent. Unlike labs that you tear down after one exercise, this sensor persists across the entire course. Every protocol analysis module (NF3-NF7) uses it. Every detection module (NF8-NF11) deploys rules to it. The capstone (NF14) investigates traffic through it. Treat this build with the same care you'd give a production deployment — because by the time you finish this course, it functionally is one.

The module covers both the technical build (installation, configuration, validation) and the operational decisions (what to capture, how to store it, how to maintain it). A sensor that's installed but misconfigured is worse than no sensor — it creates false confidence in evidence that may be incomplete or missing.