ISSC 642 Central Texas College NSM Monitoring & Including Collection Tools Paper


Computer Science

ISSC 642

Central Texas College


Question Description


This is a two part questions. First I will need the discussion question answer which will be below in bold, 300 words APA format. For those response I will need three responses of at least 175 words each.

Distinguish between alert data (including generation tools) and previously covered NSM monitoring (including collection tools).

Part two

Student one:

The concepts, tools and data we discussed over the last few weeks help network security monitoring (NSM) analysts distinguish between normal and unusual traffic. Within the NSM concept of collection, analysis and escalation, traffic patterns can be distinguished into different categories of data. These categories include full content data, session data and statistical data. Although distinguishable in type and use, these types of data empower the analyst with information to make security decisions and responses (Bejtlich, 2004).

Alert data can be leveraged to take on some of that decision-making responsibility. Bejtlich (2004) defines alert generation tools as those that ‘make judgements based on the traffic they inspect,’ and are commonly used in Intrusion Detection Systems (IDSs) and NSM deployments. The distinction is clear: alert data goes beyond just presenting traffic data. Alert generation tools can be programmed to recognize traffic patterns as malicious activity or signs of intrusion. Bejtlich (2004) considers this programmed recognition to be ‘judgements,’ and the generated alerts can assist analysts with their respective NSM response strategies. Doing a bit of research on alert data and NSM, I stumbled on a few academic papers that address a problem: utilizing multiple tools and applications in an NSM deployment can actually create large aggregates of alert data that are difficult to sift through and understand. Some other common problems include more important alerts being overshadowed by a high number of less important alerts…and false alerts/false positives (Yao et al., 2016). There are also academic papers in our library that take on the challenge of alert data aggregation and correlation. This is to prevent an NSM analyst from additional tedious work in organizing alert data that, in theory, should effectively assist them in making correct judgements on traffic patterns (Alserhani, 2016).

Beyond the concept of collection, analysis and escalation is detection and response. Alert data is all about detection and response…and can help an analyst associate network traffic with intrusions and malicious activity. The reading holds the Snort IDS in high regard. In the time of writing, Snort was a formidable IDS solution that was opened source and highly supported in the IT/NSM community (Bejtlich, 2004). Two alert generation tools described in depth in the reading include Bro and Seguil. Bro is a powerful IDS tool that command line geeks and programmers may find to be more approachable and customizable (Bejtlich, 2004). Seguil is another alert-based tool in high praise from Bejtlich (2004). This is due for a few reasons: it’s open sourced, has an easy to use graphical user interface, and is a UNIX suite tool compatible with multiple types of types of data (such as session and full content). Of particular note is the fact that Sguil’s alert data is sourced from Snort itself. BONUS, it was also developed by an Air Force veteran (Bejtlich, 2004). Alert tools like Sguil can present a wealth of information to an NSM analyst who must grapple with the decision of response. One of the more poignant take-aways from this week’s reading is that these tools can often tell you more about what didn’t happen in your network traffic – equally as important as what did happen.

I can’t believe we’re almost at the halfway point of this course. Good luck to everyone on their quiz and paper. Unfortunately, Coronavirus is keeping me busy at work, and there is a lot of uncertainty amongst us in the military community. Control what you can control - stay safe, and stay home!



Alserhani, F. (2016). Alert correlation and aggregation techniques for reduction of security alerts and detection of multistage attack. International Journal of Advanced Studies in Computers, Science and Engineering, 5(2), 1–7. Retrieved from

Bejtlich, R. (2004). The Tao of Network Security Monitoring. Boston: Addison-Wesley.

Yao, Y., Wang, Z., Gan, C., Kang, Q., Liu, X., Xia, Y., & Zhang, L. (2016). Multi-source alert data understanding for security semantic discovery based on rough set theory. Neurocomputing, 208, 39–45.

Student two:

The Network security monitoring tools (NSM) monitoring uses tools collect full content data, session data and statistical data. Bejtlich (2005) explains how the tools like tcpdump are used to collect data or ethereal to examine packet headers or Argus to collect session data. All of these NSM monitoring the tools not look at the data for threats to the network. They simply collect and store the data. The alert data is when analysis of the data is collected to determine if there is a potential risk to the network.

Sanders (2012) reveals that network security monitoring is broken down into three phases: collection, detection and analysis. He explains how collection is gathering the relevant network security data and sorting it out. This is the phase where the monitoring tools like tcpdump, Argus and ethereal come into play. Sanders (2012) explains the detection phase is when software or sometimes humans process the data collected to find anomalies in the data that was collected to identify potential intrusions on the network. According to Bejtlich (2005) Squil is a software that gives the user alert data. He explains that Squil uses Snort to provide its alert data. Bejtlich (2005) also identified two network intrusion detection systems that generate alret data: Bro and Prelude.

Sander (2012) identifies the last phase of network security monitoring as the analysis phase. Sanders explains that this is the phase where an analyst will review the alert data and then investigate the data that was collected during the collection phase to determine if there was in fact an intrusion on the network. Sanders (2012) believes the analysis phase is best done by humans and not software or hardware.


Sanders, C. (2012). NSM collection vs. detection. Retrieved from

Bejtlich, R. (2005). The Tao of Network Security Monitoring: Beyond intrusion detection. Boston, MA: Addison-Wesley

Student three:

The full content data, session data, and statistical data tools previously discovered requires the cybersecurity analyst to determine which traffic is normal, and which traffic is either suspicious or malicious (Bejtlich, 2005). Alert data is different than the full content, session, and statistical data tools. The main point of difference is that with alert data tools, the tools themselves are preprogrammed to make a determination on the traffic that they are inspecting (Bejtlich, 2005). Since these tools are making determinations rather than merely presenting the data, they are characterized as alert data tools.

The alert data tools that Bejtlich (2005) discuss in this week’s readings include Bro (and BRA), Prelude, and Sguil. Since publication of our course material, Bro has since become Zeek, and it still remains active and current today (Paxson, 2018) (Corelight, 2020). Outside information on BRA was more limited than Bro, but is the Bro Re-usable Architecture (Manders, BRA: The Bro Re-usable Architecture, 2003). The link to the original BRA release is no longer valid, and its possible it is no longer supported (Manders, BRA, 2020). Bro examines the network traces through libpcap and then passes the data to the Bro event engine, which breaks the data into events, and then makes actions based on Bro’s assessments of the events (Bejtlich, 2005). Prelude, now the Prelude Security Information and Event Management (SIEM) is also still active and supported (Prelude SIEM, 2020). Prelude SIEM imports security alerts from Snort, Systrace and Honeyd virtual honeynet and uses these types of external alert data to build its own alert data (Bejtlich, 2005).

Sguil is somewhat unique among this group as a number of tools make up Sguil. Some of the tools that make up Sguil include Snort, Tcpflow, Tcpdump, and MySQL (Bejtlich, 2005) (Visscher, Sguil: The Analyst Console for Network Security Monitoring, 2014) (Visscher, 2020). We have discussed a number of these tools already in past weeks. Sguil has continues to receive updates since its release over a decade ago, with some of the latest updates on request coming as recently as early March (Visscher, 2020).


Bejtlich, R. (2005). The Tao of Network Security Monitoring. Boston: Addison-Wesley.

Corelight. (2020). Zeek. Retrieved from Corelight.

Manders, C. (2003, July 5). BRA: The Bro Re-usable Architecture. Retrieved from Berkeley University:

Manders, C. (2020). BRA. Retrieved from Unix Helpdesk:

Paxson, V. (2018, October 11). Renaming the Bro Project. Retrieved from Zeek Blog:

Prelude SIEM. (2020). Prelude SIEM. Retrieved from Prelude SIEM:

Visscher, R. (2014). Sguil: The Analyst Console for Network Security Monitoring. Retrieved from Sguil:

Visscher, R. (2020, March 3). bammb / sguil. Retrieved from Github:

Student has agreed that all tutoring, explanations, and answers provided by the tutor will be used to help in the learning process and in accordance with Studypool's honor code & terms of service.

Explanation & Answer


Running head: DISCUSSION


Student’s Name
Institutional Affiliation



Distinguish between alert data (including generation tools) and previously covered NSM
monitoring (including collection tools).
NSM has different definitions. It involves three main phases, analysis, detection, and
collection. For example, collection consists of the process of parsing and gathering relevant types
of network security data that is in place. On the other hand, detection is the process where one
manages to find various anomalies in any data that has been collected, which is done typically by
Further, analysis is considered as the last step where there are reviews and investigation of
the alert data, which is usually created in the opening step of collection (Bejtlich, 2014). The
collected information is generally needed to show different forms of discrete events that could then
result in an attack. Furthermore, the type of research and investigation, which is done in the
analysis stage, is used in defining the kind of data which is collected and the process through which
it can be used.

As discussed from the readings of this week, there are different tools of data such as Sguil,
Prelude, and Bro. However, Bro has continued to remain active, and it is in use today. Bro is used
in examining the traces of the network and the activities tha...

CuvyvcGhgbe (17538)

Just what I needed…Fantastic!