Network security monitoring (NSM) is the practice of collecting and analyzing network data to detect signs of malicious activity. You don’t need an enterprise budget to implement it — open-source tools like Zeek, Suricata, and Security Onion can give you enterprise-grade visibility at zero licensing cost.
Why Monitor Your Network?
The average time to detect a breach is 207 days (IBM Cost of a Data Breach Report). That’s seven months of attackers living in your network before anyone notices. Network monitoring dramatically reduces this detection gap by alerting on suspicious activity as it happens.
Key Concepts in NSM
What to Capture
- Full packet capture (PCAP) — Complete raw traffic. Maximum detail, huge storage requirements.
- Flow data (NetFlow/IPFIX) — Summarized metadata: who talked to whom, when, how much data. Storage-efficient, still very useful for detection.
- Logs — Firewall logs, DNS queries, DHCP leases, authentication events.
- Protocol analysis — Parsing specific protocols (HTTP, DNS, TLS) to extract intelligence.
Setting Up Zeek for Network Monitoring
# Zeek (formerly Bro) — passive network analysis framework
# Install on Ubuntu/Debian:
sudo apt install zeek
# Add Zeek to PATH:
export PATH=/opt/zeek/bin:$PATH
# Configure network interface to monitor:
sudo nano /opt/zeek/etc/node.cfg
[zeek]
type=standalone
host=localhost
interface=eth0 # Change to your monitoring interface
# Start Zeek:
sudo zeekctl deploy
# Zeek automatically generates structured logs:
# /opt/zeek/logs/current/
ls /opt/zeek/logs/current/
# conn.log — all network connections
# dns.log — all DNS queries and responses
# http.log — all HTTP transactions
# ssl.log — TLS/SSL connections and certificates
# files.log — all transferred files with hashes
# notice.log — security notices and alertsDetecting Threats with Zeek Logs
# Find DNS requests to suspicious TLDs:
cat /opt/zeek/logs/current/dns.log | zeek-cut query | grep -E ".ru$|.cn$|.xyz$" | sort | uniq -c | sort -rn | head 20
# Find unusually large data transfers (possible exfiltration):
cat /opt/zeek/logs/current/conn.log | zeek-cut id.orig_h id.resp_h resp_bytes | awk '$3 > 10000000' | sort -k3 -rn | head 20
# Find all connections to external IPs on port 22 (SSH outbound):
cat /opt/zeek/logs/current/conn.log | zeek-cut id.orig_h id.resp_h id.resp_p | awk '$3 == 22' | grep -v "192.168|10."
# Find self-signed certificates (common in malware C2):
cat /opt/zeek/logs/current/ssl.log | zeek-cut server_name validation_status | grep "self signed"Suricata: Network Intrusion Detection
# Suricata: High-performance IDS/IPS/NSM
# Install:
sudo apt install suricata
# Update rules (uses Emerging Threats rules):
sudo suricata-update
# Configure interface to monitor:
sudo nano /etc/suricata/suricata.yaml
# Find: af-packet:
# - interface: eth0 ← Change to your interface
# Start Suricata:
sudo systemctl enable --now suricata
# Watch for alerts in real-time:
tail -f /var/log/suricata/fast.log
# Full JSON alert log:
tail -f /var/log/suricata/eve.json | python3 -m json.toolSecurity Onion: The Full NSM Platform
Security Onion is a free, open-source Linux distro that bundles Zeek, Suricata, Elasticsearch, Kibana, and more into a single deployable NSM platform. It’s the easiest way to get a full NSM stack running.
# Download Security Onion ISO from: securityonion.net
# System requirements: 4 CPU cores, 16GB RAM, 200GB storage (minimum)
# After installation, access the web UI:
https://YOUR_SENSOR_IP
# Security Onion includes:
# - Hunt (threat hunting interface)
# - Alerts (Suricata IDS alerts)
# - Dashboards (Kibana pre-built dashboards)
# - Cases (incident management)
# - PCAP (full packet capture playback)Key Indicators of Compromise (IOCs) to Watch For
- Beaconing — Regular, periodic outbound connections to the same external IP (malware checking in with C2)
- DNS tunneling — Unusually long DNS queries or high query volume to a single domain
- Port scanning — One internal host connecting to many others on unusual ports
- Lateral movement — SMB/RDP connections between workstations (they shouldn’t talk to each other normally)
- Large outbound transfers — Gigabytes leaving the network to an unknown external host
# Quick IOC check with Zeek: detect beaconing behavior
# A host connecting to the same IP every 5 minutes is suspicious
cat /opt/zeek/logs/current/conn.log | zeek-cut ts id.orig_h id.resp_h duration |
awk '{print $2, $3}' | sort | uniq -c | sort -rn | head 20
# High count + same external IP = potential beaconingWrap Up
Network security monitoring turns your network from a black box into a transparent environment where attacks leave visible traces. Start with Zeek on a spare machine or VM — even partial visibility is vastly better than none. Once you’re comfortable reading Zeek logs, Security Onion gives you a production-grade NSM platform at zero cost.