Sign In
In this section

Module Summary

10 hours · Module 1 · Free

Module Summary — Building Your NSM Sensor

This module built the sensor that powers every investigation in the rest of this course. Here's what you accomplished and what it means going forward.

What You Built

Sensor architecture (NF1.1). Four components: capture interface, processing engines (Zeek + Suricata), storage, management. Three deployment models: standalone VM (your lab), dedicated appliance, integrated platform. The skills transfer regardless of model.

VM and prerequisites (NF1.2). Ubuntu 24.04 with NTP synchronized, build prerequisites installed, and the /opt/sensor/ directory structure for organized evidence storage. NTP is the most critical system configuration — every timestamp depends on it.

Zeek (NF1.3–NF1.4). Installed from the official repository. Configured with Community ID for Suricata correlation. Produces 20+ log files organized by protocol. The three Tier 1 logs — conn.log, dns.log, ssl.log — are the starting point for every investigation. Tab-separated output with zeek-cut for command-line querying.

Suricata (NF1.5). Installed from the OISF PPA. ET Open ruleset loaded (40,000+ signatures). EVE JSON output with Community ID enabled. Daily rule update via cron. Fires alerts when traffic matches known-bad signatures.

Capture interfaces and BPF (NF1.6). Promiscuous mode, no IP, checksum offload disabled. BPF filters for targeted capture. AF_PACKET sharing for live deployment (covered conceptually — production details in NF13).

Validation (NF1.7). Four checks: Zeek logs complete, Suricata alerts fire, Community ID correlates, zero packet loss. Validation script saved for monthly re-runs.

Investigation queries (NF1.8). Ten reusable patterns: scope (host connections, DNS, top destinations), identify (large transfers, long duration, beaconing), correlate (UID pivot, CID pivot, C2 host enumeration, JA3 search). These patterns answer 90% of investigation questions.

Maintenance (NF1.9). Daily automation (rules, disk), weekly manual check (NTP, processes, retention), monthly validation (full script, OS updates).

What Comes Next

NF2 — PCAP Acquisition and Management. Full-packet capture with tcpdump: capture strategies, rolling captures, BPF filters for targeted investigation, PCAP file management with editcap and mergecap, evidence-grade capture procedures.

NF3 — DNS: The Protocol That Sees Everything. Your first protocol analysis module. DNS investigation methodology, dns.log deep dive, tunnelling detection, passive DNS, and the DNS trail from INC-NE-2026-0227 (the AiTM phishing campaign).

Your sensor is built. From NF2 onward, every module produces investigation evidence through it.

💬

How was this module?

Your feedback helps us improve the course. One click is enough — comments are optional.

Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
Unlock the Full Course See Full Course Agenda
← Previous Next →