CND (312-38) Network Defense Simulation
Network Scenario
The enterprise Security Operations Center (SOC) is redesigning its SIEM architecture to improve the ingestion of security events from network infrastructure (routers, core switches, firewalls). The team needs to configure these edge devices to transmit events to the central collector immediately upon occurrence to minimize latency in threat detection.
Traffic & Logs
Review the following configuration extract from a core router and the resulting network traffic packet capture:
Question
Syslog and SNMP are the two main _______ protocols through which log records are transferred.
Look at packets 124 and 125 in the log snippet. Does the SIEM server (10.10.50.100) ask for these events, or does the router (10.10.10.1) send them automatically when the BGP neighbor goes down?
Expert Analysis
1. What is happening in the network
Network devices are configured to forward critical telemetry—specifically Syslog messages and SNMP Traps—to a centralized SIEM or log collector. The packet capture shows an event (BGP neighbor going down) triggering immediate, unsolicited data transmissions from the router to the collector.
2. Identify attack or behavior
We are observing standard centralized logging behavior. Unidirectional UDP traffic (Syslog on port 514, SNMP Traps on port 162) is originating from the network device. The SIEM is passively listening for these incoming streams of event records.
3. Why correct answer is correct
B. Push-based is correct. Syslog and SNMP Traps utilize a push-based model. The client (network device) initiates the transmission and "pushes" the log data to the server (collector) as soon as an event is generated, without waiting for the server to request it.
4. Why others are wrong
- A. Pull-based: This model requires the central server to actively query devices for information (like the SNMP
get-requestin packet 126). While SNMP polling is pull-based, the transfer of event records/logs via Syslog and SNMP Traps is not. - C. Host-based / D. Network-based: These terms describe the source or perspective of the logs (e.g., a Host-based IDS vs. a Network-based IDS), not the architectural mechanism used to transfer the data.
5. Defensive action
Ensure network firewalls permit inbound UDP 514 (Syslog) and UDP 162 (SNMP Traps) to your SIEM exclusively from trusted infrastructure management subnets. For critical environments, upgrade from UDP Syslog to TCP/TLS Syslog (port 6514) to guarantee log delivery and prevent eavesdropping or tampering of log data.
MINI LESSON: Push vs. Pull Telemetry
- Push-based (Syslog / SNMP Traps / NetFlow): Excellent for near real-time threat detection. Devices send data instantly upon an event. However, an attacker triggering a flood of events (e.g., rapid auth failures) can cause a broadcast storm, potentially overwhelming the SIEM or dropping UDP packets.
- Pull-based (SNMP Polling / API queries): The SIEM controls the rate of ingestion, preventing overload. However, transient events that occur and resolve between polling intervals might be completely missed by the defender.
Ready to sharpen your defensive skills further?
Explore more CND simulations