Monitoring and Logging Network Traffic

Overview

This lab focused on configuring and analyzing network monitoring and logging tools to improve visibility and detection of potential security threats. Technologies used included pfSense firewall logging, Snort IDS, Kiwi Syslog Server, and Splunk SIEM.

Objectives

  • Configure and review pfSense system and firewall logs

  • Deploy and monitor Snort intrusion detection on LAN and DMZ interfaces

  • Forward firewall logs to a centralized syslog server

  • Ingest and analyze security events using Splunk

  • Simulate and detect network attacks and breaches

Key Activities

  • Enabled and reviewed pfSense logging for system and firewall events

  • Configured Snort with community rules and monitored ICMP activity

  • Implemented centralized logging using Kiwi Syslog Server

  • Indexed and searched logs within Splunk

  • Simulated reconnaissance using Nmap and analyzed results

  • Conducted a DMZ breach simulation using Infection Monkey

  • Correlated IDS alerts and logs to identify malicious activity

Results and Analysis

The lab demonstrated how multiple monitoring tools work together to provide comprehensive network visibility. Snort successfully detected suspicious traffic, including ICMP and scanning activity, while Splunk enabled centralized search and analysis of these events.

A key finding was that log data was not well-structured when ingested into Splunk. Important fields such as source and destination IP addresses were embedded within raw log messages, reducing the efficiency of analysis.

The DMZ breach simulation highlighted a critical security concern: insufficient network segmentation allowed potential lateral movement from the DMZ to the internal network.

Skills Developed

  • Firewall and IDS configuration

  • Log management and forwarding

  • SIEM data analysis and querying

  • Network attack detection and analysis

  • Security monitoring and incident awareness

Conclusion

This lab reinforced the importance of centralized logging and structured data for effective security monitoring. While detection tools were functional, improvements in log parsing, field extraction, and visualization are necessary to enhance response time and overall security posture.

Lab File