In this module
NF1.12 Module Summary
Module Summary — Building Your NSM Sensor
This module built the sensor that powers every investigation in the rest of this course. Here's what you accomplished and what it means going forward.
What You Built
Sensor architecture (NF1.1). Four components: capture interface, processing engines (Zeek + Suricata), storage, management. Three deployment models: standalone VM (your lab), dedicated appliance, integrated platform. The skills transfer regardless of model.
VM and prerequisites (NF1.2). Ubuntu 24.04 with NTP synchronised, build prerequisites installed, and the /opt/sensor/ directory structure for organized evidence storage. NTP is the most critical system configuration — every timestamp depends on it.
Zeek (NF1.3–NF1.4). Installed from the official repository. Configured with Community ID for Suricata correlation. Produces 20+ log files organized by protocol. The three Tier 1 logs — conn.log, dns.log, ssl.log — are the starting point for every investigation. Tab-separated output with zeek-cut for command-line querying.
Suricata (NF1.5). Installed from the OISF PPA. ET Open ruleset loaded (40,000+ signatures). EVE JSON output with Community ID enabled. Daily rule update via cron. Fires alerts when traffic matches known-bad signatures.
Capture interfaces and BPF (NF1.6). Promiscuous mode, no IP, checksum offload disabled. BPF filters for targeted capture. AF_PACKET sharing for live deployment (covered conceptually — production details in NF13).
Validation (NF1.7). Four checks: Zeek logs complete, Suricata alerts fire, Community ID correlates, zero packet loss. Validation script saved for monthly re-runs.
Investigation queries (NF1.8). Ten reusable patterns: scope (host connections, DNS, top destinations), identify (large transfers, long duration, beaconing), correlate (UID pivot, CID pivot, C2 host enumeration, JA3 search). These patterns answer 90% of investigation questions.
Maintenance (NF1.9). Daily automation (rules, disk), weekly manual check (NTP, processes, retention), monthly validation (full script, OS updates).
What Comes Next
NF2 — PCAP Acquisition and Management. Full-packet capture with tcpdump: capture strategies, rolling captures, BPF filters for targeted investigation, PCAP file management with editcap and mergecap, evidence-grade capture procedures.
NF3 — DNS: The Protocol That Sees Everything. Your first protocol analysis module. DNS investigation methodology, dns.log deep dive, tunnelling detection, passive DNS, and the DNS trail from INC-NE-2026-0227 (the AiTM phishing campaign).
Your sensor is built. From NF2 onward, every module produces investigation evidence through it.
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.
You've built the sensor and mapped the evidence landscape.
NF0 established why network evidence matters when every other source is compromised. NF1 built your Zeek + Suricata sensor with the 10 investigation query patterns. From here, every module teaches protocol-specific investigation against real attack scenarios.
- DNS deep dive (NF3) — tunnelling detection, DGA analysis, passive DNS infrastructure mapping, and the INC-NE-2026-0227 AiTM phishing DNS trail
- Protocol analysis (NF4–NF7) — HTTP/HTTPS, SMB lateral movement, SSH tunnelling, and email protocol investigation with Zeek metadata and PCAP
- Detection and hunting (NF8–NF11) — Suricata rule writing, C2 beacon detection with JA3, NetFlow analytics, and proactive network threat hunting
- NSM architecture (NF13) — production sensor deployment at 1–10 Gbps with Arkime, Security Onion, and enterprise storage planning
- INC-NE-2026-0830 capstone (NF14) — multi-stage investigation using only network evidence: phishing → domain-fronted C2 → lateral movement → DNS tunnel exfiltration
Cancel anytime