Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Netzwerksicherheit Glossary

Network Monitoring / NDR

Network Monitoring monitors network traffic for anomalies, outages, and attacks. Network Detection and Response (NDR) is the security-focused evolution of this technology: using behavioral analysis, machine learning, and threat intelligence, NDR also detects zero-day attacks, lateral movement, and data exfiltration within the internal network.

Network Monitoring is the continuous monitoring of network devices, connections, and traffic for performance issues and security incidents. NDR (Network Detection and Response) goes a step further: It analyzes all network traffic using behavior-based analysis and detects attacks that bypass endpoint security solutions.

Network Monitoring vs. NDR

Traditional Network Monitoring

  • Availability: Is the router/switch reachable?
  • Performance: Bandwidth, latency, packet loss
  • Configuration: Changes to network devices
  • Tools: PRTG, Zabbix, Nagios, LibreNMS

Network Detection and Response (NDR)

  • Security Focus: Attack detection in traffic
  • Behavior-Based: Deviations from the baseline
  • Threat Intelligence: Known IoCs, C2 domains
  • ML-based: Detects unknown attack patterns
  • Response: Manual or automated response
  • Tools: Darktrace, Vectra, Cisco Stealthwatch, Zeek+SIEM

NDR detects what EDR misses

Scenario: Attacker uses legitimate admin tools (WMI, PowerShell Remoting)

  • Endpoint: sees normal admin processes, no alert
  • NDR: sees unusual east-west traffic, alert

Scenario: Compromised IoT device exfiltrates data

  • Endpoint: no agent possible on IoT device
  • NDR: sees DNS tunneling patterns, alert

Network Flow Analysis - NetFlow/IPFIX

NetFlow does not capture complete packets (too much memory), but rather flow data: source, destination, port, protocol, bytes, packets, time. Generated by routers, switches, and firewalls.

NetFlow entry example:

Src-IP:Port        Dst-IP:Port           Proto  Bytes    Pkts    Start-Time
10.0.1.50:443      93.184.216.34:443     TCP    15.2MB   12400   09:15:03.000

What NetFlow analysis detects:

  • Port scans: many connections from a single source
  • Data exfiltration: unusually high outgoing bytes
  • Beaconing: regular connections to the same IP (C2 indicator)
  • Lateral movement: unusual internal connection patterns
  • DNS tunneling: excessive number of DNS queries

Open-source NetFlow collection with nfdump/nfsen:

# nfcapd: NetFlow collector
nfcapd -D -l /var/cache/nfdump -p 2055 -T all

# Analysis: Top 10 talkers (last hour)
nfdump -R /var/cache/nfdump -n 10 -s record/bytes

# Search for suspicious DNS query volumes
nfdump -R /var/cache/nfdump \
  -A srcip -s record/bytes \
  'proto udp and dst port 53' | head -20

Deep Packet Inspection (DPI) and Zeek

Zeek (formerly Bro) - Network Analysis Framework

Zeek generates structured logs from network traffic without real-time blocking. It is extremely valuable for forensics and threat hunting.

apt install zeek

Basic configuration (/etc/zeek/node.cfg):

[zeek]
type=standalone
host=localhost
interface=eth0
# Start:
zeekctl deploy

Zeek logs (in /var/log/zeek/current/):

LogContent
conn.logall TCP/UDP/ICMP connections
dns.logall DNS queries (extremely valuable)
http.logHTTP requests (User-Agent, URL, status)
ssl.logTLS connections (certificate, JA3 hash)
files.logtransferred files (MD5 hash)
x509.logcertificate details
weird.loganomalous behavior (RFC violations)
notice.logZeek alerts

DNS log example:

ts          uid     id.orig_h    query               qtype   answer
1709.123456 Cfk8G0  10.0.1.50   evil.c2server.com   A       45.33.32.156
1709.123457 Cfk8G1  10.0.1.50   evil.c2server.com   A       45.33.32.156
# ↑ Repeated queries to the same domain = beaconing indicator!

JA3/JA3S - TLS Fingerprinting:

  • Fingerprint of the TLS client (which cipher suites, extensions?)
  • Known malware has known JA3 hashes
  • Zeek automatically generates JA3 in ssl.log
  • Threat Intel: ssl-bl.abuse.ch JA3 blacklist

Practical Anomaly Detection

1. Port Scan Detection (Zeek Notice Policy)

event notice(n: Notice::Info) {
  if (n$note == Scan::Port_Scan) {
    print fmt("PORT SCAN from %s", n$src);
  }
}

2. Suspected DNS Tunneling (KQL for Microsoft Sentinel)

DnsEvents
| where TimeGenerated > ago(1h)
| summarize QueryCount=count(), Domains=dcount(Name)
    by ClientIP
| where QueryCount > 500 or Domains > 100
| order by QueryCount desc

3. Beaconing Detection (Regular C2 Connections)

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| summarize ConnectionCount=count(),
            AvgInterval=avg(TimeGenerated)
    by DeviceName, RemoteIP, RemotePort
| where ConnectionCount > 50
| extend RegularBeacon = ConnectionCount > 100
| where RegularBeacon == true

4. Data Exfiltration Detection

DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIPType == "Public"
| summarize TotalBytesSent=sum(SentBytes)
    by DeviceName, RemoteIP
| where TotalBytesSent > 100000000  // >100 MB to an external IP
| order by TotalBytesSent desc

5. Lateral Movement (Unusual Admin Connections)

SecurityEvent
| where EventID in (4624, 4648)  // Logon Events
| where LogonType in (3, 10)     // Network + Remote Interactive
| summarize count() by
    SourceComputerName, TargetComputerName, Account
| where count_ > 10
| order by count_ desc

NDR Products Compared

Open Source / Free

Zeek + ELK Stack

  • Zeek generates logs, Elasticsearch indexes them, Kibana visualizes them
  • Free, but setup is time-consuming (~2 days)
  • Ideal for threat hunting and forensics
  • No ML/anomaly detection out-of-the-box

Suricata + MISP

  • Suricata: Real-time signature and anomaly detection
  • MISP: Threat Intelligence Platform (IoC feeds)
  • Combination: New IoC in MISP → Automatic Suricata rule
  • Free, active community

Security Onion

  • All-in-one distribution: Zeek + Suricata + ELK + Kibana
  • Ideal for getting started with network monitoring
  • ISO: security-onion.net

Commercial NDR Solutions

Darktrace

  • AI-based anomaly detection (proprietary AI)
  • “Self-learning”: learns its own environment
  • Automated response (Antigena) possible
  • Very expensive, starting at approx. 50,000 EUR/year

Vectra AI

  • Attack Signal Intelligence
  • Focus: Privilege Escalation, Lateral Movement
  • Good for Active Directory Monitoring
  • Mid-market pricing

Cisco Stealthwatch (Secure Network Analytics)

  • NetFlow-based, scales for large networks
  • Integration into the Cisco security ecosystem
  • Suitable for existing Cisco infrastructure

Recommendations for SMBs:

  • Zeek + Elastic Security SIEM (open source)
  • ExtraHop Reveal(x) (mid-market, good value for money)
  • Corelight (Zeek Enterprise, support included)

AWARE7 Services on This Topic

Penetrationstest Netzwerk
Back to Glossary Book a free consultation