SNORT- network monitoring

Posted on 2013-12-07
Last Modified: 2016-03-23
I am setting a passive network monitoring system.  By that I mean it will monitor any irregular traffic and any irregular poke on computer TCPIP ports by initially establish a base traffic and ports that are allowed to be accessed.  The system should alarm any irregular activities within the network.  Is there any software beside SNORT will do the job.  I will need daily report as well as incident reports.  They should be created automatically.  Any idea what is needed to setup such a system.
Question by:tommym121
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 63

Assisted Solution

btan earned 300 total points
ID: 39704005
There is a winIDS (from Snort too), there is quite a coverage on the guides at the left side bar)

Another example e.g.

You can also find a cmd based manual in html mode for snort.
Specifically can check out the NIDS mode

Worth for exploration purpose e.g. Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools.

Can check out comparison btw snort/suricata/bro (can be out-dated but as kickstarter)

> Suricata which is another good candidate as the Open Source Next Generation Intrusion Detection and Prevention Engine. Supposedly to be multi-threaded alternative to Snort

> Another Bro is an open source Unix based network monitoring framework. Often compared to a Network intrusion detection systems (NIDS), Bro can be used to build an NIDS but is much more.

Slightly out if interested is the passive network discovery

Metasploit's MetaModule


This SAN paper(it has "Passive Network Mapping" section)
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 39704173
Snort, Bro and Suricata will not do what you want, they are not traffic profilers. You will have to invest in a few hundred thousand dollars for that type of tech, look at Netwitness or maybe FireEye. Some UTM's or NGFW's may do this too, but they rely on agents being installed on the computers, not just passively looking at the traffic.

We've had netwitness for a few years and the one thing I do know is it's not worth the $$. An IDS will do a good job, we've been more impressed using HIDS's because they can pick up on the executeables being used and report/alert when something new comes along. We started with OSSEC, but developed our own scripts and agents that we use quite effectively. You can almost do the same thing using a good SIEM log manager if you turn up the process logging of windows, but that too costs.

Why do you want to profile the traffic? There are going to be a ton of false positives unless you really expect static behavior from that network segment.
LVL 63

Assisted Solution

btan earned 300 total points
ID: 39704214
IDS based is sieving and alerting the signature from the rule configured and if see the need to reveal anomalous traffic besides those out of the signature or surface reconnaissance type of traffic (part of the cyber kill chain) or even brute force, there can be rule to surface bot type initiated traffic ... modsecurity has such and most of the app aware network security device. Eventually the SIEMS is the one gathering all the sensor log (syslog primarily) and having correlation rules to escalate alerts to some case mgmt like Archer etc for triaging.

Yes you need to baseline the norm to differentiate from the abnormal. Solera (under Bluecoat now) , Netscout, Fidelis XPS is another network forensic. Ntop is one worth exploring further too....

How to Create an Open Source Network Forensics Appliance
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 39704222
For a network forensic or profiler to be effective, an IDS isn't good enough unless you can write some very intricate rules. Port anomalies would be easy to spot, this is where Egress filtering would be a better choice however. Filtering outbound traffic and having an alert using the FW log would be very effective for non-approved/expected ports. Keeping it simple that way too. Then there is content or unexpected SSL, where you could write a rule for some of that, but again you'd need a really static and bland network to do it with IDS rules. At least I would, I see the traffic in my network (ala netwitness) and if I investigated all of it, I'd waste everyone's time. There is so much going on, things not working, things being turn up/down, new installs, that it's impossible in my large environment to keep up with change controls and what I see in netwitness.
A baseline for my network doesn't exist, we aren't compartmentalized enough :( I wish we were, then I could realy be down with network profiling, but for me, and most places I've done consulting for, it's not possible.

Author Comment

ID: 39704978
Thanks for all your inputs.  In my case,  I am dealing with an isolated network segment and protected with firewall and IDS.  Within the isolated network segment, I have approx 10 computers.  7 servers and 3 clients PC.  The servers is running a dedicated server software for a specific port and the client machines will be running a client software to communicate with this 7 servers.  All systems will be running windows server and will be stripped down the bare minimum functionality.

The passive network monitoring system will be place in this isolated network segment to
1. determine if any one scanning the network.
2. determine who is doing the scanning
3. act as a first line of detection there may be a possible intrusion to the network.
4. profile network traffic (only for the reason of detecting intrusion; if there is a more efficient way to detect intrusion, network traffic profiler is optional).

What will you suggested for a passive network monitoring system based on this description?
LVL 63

Accepted Solution

btan earned 300 total points
ID: 39705033
The network forensic and ids can do well as long as they are deployed strategically at the egress and ingress pt. Recon activities such as scanning, port knocking or even brute force should be able to surface specific to signature of common tool used esp web based packet since they will try to evade using known port like 80 and 443.

Of course, it is not all encompassing to but SSH brute force login or DirBuster detection are something in the VRT signature (so good to keep rule updated)

I was thinking of honeynet too and honeypot (passive like Honeyd) that play another virtual playground to trap thise attempt using Honeywall and also snortinline. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion detection systems.

Author Closing Comment

ID: 39707531

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
OfficeMate Freezes on login or does not load after login credentials are input.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question