Alert Data and NSM Tools for Intrusion Detection

calendar Jun 4, 2026 · 3 min read · alert data network security monitoring intrusion detection nsm tools ids information security  ·
Share on: linkedin copy

Alert Data and NSM Tools for Intrusion Detection

Network Security Monitoring (NSM) data that has been previously discussed are full content data (FCD), session data and statistical data. The result of an NSM specific data is to identify decisions based on views of network traffic. The NSM tool assists the analyst(s) if an event identified is nonthreatening, suspicious, or malicious. Once the event is identified it leads the analyst to the next action. NSM tools, as described by Bejtlich (2013) are to assist analysts in three ways. The first way is to make it was for them to review many types of NSM data in a single interface. A second way as Bejtlich (2013) describes, is to enable the analyst(s) to pivot from one type of data to another and the third or last way is the NSM tool capture the outcome of the analyst(s) decision making process. The use of NSM tools allow one or many analysts to complete a shared objective. Examples of data collection tools are Tcpdump, Snort, Cicso Net Flow and Cisco Account as Bejtlich (2004) points out.

Alert Data

Alert data does not need analysis because it returns whether network traffic monitored produced or triggered a notification or alert as described by Bejtlich (2013). Alert data is created by a judgement made by a tool, typically example is an intrusion detection system (IDS), about a characteristic of the network traffic.

Sguil is an example of an NSM cross-platform application intended to incorporate alert, session, and full content data streams into a graphical interface. The Sguil tool, as Bejtlich (2004) points out permits speedy, combined access to alerts, full content data, and session data.

The hybrid IDS called Prelude, as Bejtlich (2004) points out is product that is able to collect alert data from many different security applications and/or generate alert data of its own using its own software features. Prelude is able to accept data from Systrace, Snort or the Honeyd.

The network intrusion detection analysis tool named Bro collects network traces using libpcap and Berkeley Packet Filter (BPF) and are consumed by the Bro event engine as described by Bejtlich (2004). The Bro event engine inspects the traffic and groups packets into events. Definitions are specified in policy files as Bejtlich (2004) points out and Bro can be set-up to take action based on its assessment of the events. An action could consist of inserting event details into a database, sending an e-mail or even opening a support request in the problem management system.

References

Bejtlich, R. (2004). The Tao of network security monitoring: Beyond intrusion detection. Addison-Wesley Professional.

Bejtlich, R. (2013). The practice of network security monitoring: Understanding incident detection and response. No Starch Press.

Posts in this series