Preface
Part ��Data
1�� Organizing Data�� Vantage�� Domain�� Action�� and Validity
Domain
Vantage
Choosing Vantage
Actions�� What a Sensor Does with Data
Validity and Action
Internal Validity
External Validity
Construct Validity
Statistical Validity
Attacker and Attack Issues
Further Reading
2�� Vantage�� Understanding Sensor Placement in Networks
The Basics of Network Layering
Network Layers and Vantage
Network Layers and Addressing
MAC Addresses
IPv4 Format and Addresses
IPv6 Format and Addresses
Validity Challenges from Middlebox Network Data
Further Reading
3�� Sensors in the Network Domain
Packet and Frame Formats
Rolling Buffers
Limiting the Data Captured from Each Packet
Filtering Specific Types of Packets
What If It's Not Ethernet?
NetFlow
NetFlow v5 Formats and Fields
NetFlow Generation and Collection
Data Collection via IDS
Classifying IDSs
IDS as Classifier
Improving IDS Performance
Enhancing IDS Detection
Configuring Snort
Enhancing IDS Response
Prefetching Data
Middlebox Logs and Their Impact
VPN Logs
Proxy Logs
NAT Logs
Further Reading
4�� Data in the Service Domain
What and Why
Logfiles as the Basis for Service Data
Accessing and Manipulating Logfiles
The Contents of Logfiles
The Characteristics of a Good Log Message
Existing Logfiles and How to Manipulate Them
Stateful Logfiles
Further Reading
5�� Sensors in the Service Domain
Representative Logfile Formats
HTTP�� CLF and ELF
Simple Mail Transfer Protocol (SMTP)
Sendmail
Microsoft Exchange�� Message Tracking Logs
Additional Useful Logfiles
Staged Logging
LDAP and Directory Services
……