Sign In
In this module

Building Your NSM Sensor

10 hours · Module 1 · Free

Building Your NSM Sensor

This module builds the sensor that generates every piece of evidence you'll use from NF2 onward. By the end of this module, you'll have a Linux VM running Zeek and Suricata on a capture interface, producing the structured metadata logs that power the investigation methodology from NF0. You'll understand the Zeek log directory structure well enough to query any log file, and you'll have validated your sensor against test traffic to confirm it's capturing and parsing correctly.

The sensor you build here is permanent. Unlike labs that you tear down after one exercise, this sensor persists across the entire course. Every protocol analysis module (NF3-NF7) uses it. Every detection module (NF8-NF11) deploys rules to it. The capstone (NF14) investigates traffic through it. Treat this build with the same care you'd give a production deployment — because by the time you finish this course, it functionally is one.

The module covers both the technical build (installation, configuration, validation) and the operational decisions (what to capture, how to store it, how to maintain it). A sensor that's installed but misconfigured is worse than no sensor — it creates false confidence in evidence that may be incomplete or missing.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've built the sensor and mapped the evidence landscape.

NF0 established why network evidence matters when every other source is compromised. NF1 built your Zeek + Suricata sensor with the 10 investigation query patterns. From here, every module teaches protocol-specific investigation against real attack scenarios.

  • DNS deep dive (NF3) — tunnelling detection, DGA analysis, passive DNS infrastructure mapping, and the INC-NE-2026-0227 AiTM phishing DNS trail
  • Protocol analysis (NF4–NF7) — HTTP/HTTPS, SMB lateral movement, SSH tunnelling, and email protocol investigation with Zeek metadata and PCAP
  • Detection and hunting (NF8–NF11) — Suricata rule writing, C2 beacon detection with JA3, NetFlow analytics, and proactive network threat hunting
  • NSM architecture (NF13) — production sensor deployment at 1–10 Gbps with Arkime, Security Onion, and enterprise storage planning
  • INC-NE-2026-0830 capstone (NF14) — multi-stage investigation using only network evidence: phishing → domain-fronted C2 → lateral movement → DNS tunnel exfiltration
Unlock the full course with Premium See Full Syllabus

Cancel anytime

← Previous Next →