Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

SNORT- network monitoring

Posted on 2013-12-07
Last Modified: 2016-03-23
I am setting a passive network monitoring system.  By that I mean it will monitor any irregular traffic and any irregular poke on computer TCPIP ports by initially establish a base traffic and ports that are allowed to be accessed.  The system should alarm any irregular activities within the network.  Is there any software beside SNORT will do the job.  I will need daily report as well as incident reports.  They should be created automatically.  Any idea what is needed to setup such a system.
Question by:tommym121
  • 3
  • 2
  • 2
LVL 63

Assisted Solution

btan earned 300 total points
ID: 39704005
There is a winIDS (from Snort too), there is quite a coverage on the guides at the left side bar) http://www.winsnort.com/index.php?module=Pages&func=display&pageid=8

Another example e.g. http://www.aboutdebian.com/snort.htm

You can also find a cmd based manual in html mode for snort.
Specifically can check out the NIDS mode

Worth for exploration purpose e.g. Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools.


Can check out comparison btw snort/suricata/bro (can be out-dated but as kickstarter)

> Suricata which is another good candidate as the Open Source Next Generation Intrusion Detection and Prevention Engine. Supposedly to be multi-threaded alternative to Snort

> Another Bro is an open source Unix based network monitoring framework. Often compared to a Network intrusion detection systems (NIDS), Bro can be used to build an NIDS but is much more.

Slightly out if interested is the passive network discovery

Metasploit's MetaModule


This SAN paper(it has "Passive Network Mapping" section)
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 39704173
Snort, Bro and Suricata will not do what you want, they are not traffic profilers. You will have to invest in a few hundred thousand dollars for that type of tech, look at Netwitness or maybe FireEye. Some UTM's or NGFW's may do this too, but they rely on agents being installed on the computers, not just passively looking at the traffic.

We've had netwitness for a few years and the one thing I do know is it's not worth the $$. An IDS will do a good job, we've been more impressed using HIDS's because they can pick up on the executeables being used and report/alert when something new comes along. We started with OSSEC, but developed our own scripts and agents that we use quite effectively. You can almost do the same thing using a good SIEM log manager if you turn up the process logging of windows, but that too costs.

Why do you want to profile the traffic? There are going to be a ton of false positives unless you really expect static behavior from that network segment.
LVL 63

Assisted Solution

btan earned 300 total points
ID: 39704214
IDS based is sieving and alerting the signature from the rule configured and if see the need to reveal anomalous traffic besides those out of the signature or surface reconnaissance type of traffic (part of the cyber kill chain) or even brute force, there can be rule to surface bot type initiated traffic ... modsecurity has such and most of the app aware network security device. Eventually the SIEMS is the one gathering all the sensor log (syslog primarily) and having correlation rules to escalate alerts to some case mgmt like Archer etc for triaging.

Yes you need to baseline the norm to differentiate from the abnormal. Solera (under Bluecoat now) , Netscout, Fidelis XPS is another network forensic. Ntop is one worth exploring further too....

How to Create an Open Source Network Forensics Appliance
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 39704222
For a network forensic or profiler to be effective, an IDS isn't good enough unless you can write some very intricate rules. Port anomalies would be easy to spot, this is where Egress filtering would be a better choice however. Filtering outbound traffic and having an alert using the FW log would be very effective for non-approved/expected ports. Keeping it simple that way too. Then there is content or unexpected SSL, where you could write a rule for some of that, but again you'd need a really static and bland network to do it with IDS rules. At least I would, I see the traffic in my network (ala netwitness) and if I investigated all of it, I'd waste everyone's time. There is so much going on, things not working, things being turn up/down, new installs, that it's impossible in my large environment to keep up with change controls and what I see in netwitness.
A baseline for my network doesn't exist, we aren't compartmentalized enough :( I wish we were, then I could realy be down with network profiling, but for me, and most places I've done consulting for, it's not possible.

Author Comment

ID: 39704978
Thanks for all your inputs.  In my case,  I am dealing with an isolated network segment and protected with firewall and IDS.  Within the isolated network segment, I have approx 10 computers.  7 servers and 3 clients PC.  The servers is running a dedicated server software for a specific port and the client machines will be running a client software to communicate with this 7 servers.  All systems will be running windows server and will be stripped down the bare minimum functionality.

The passive network monitoring system will be place in this isolated network segment to
1. determine if any one scanning the network.
2. determine who is doing the scanning
3. act as a first line of detection there may be a possible intrusion to the network.
4. profile network traffic (only for the reason of detecting intrusion; if there is a more efficient way to detect intrusion, network traffic profiler is optional).

What will you suggested for a passive network monitoring system based on this description?
LVL 63

Accepted Solution

btan earned 300 total points
ID: 39705033
The network forensic and ids can do well as long as they are deployed strategically at the egress and ingress pt. Recon activities such as scanning, port knocking or even brute force should be able to surface specific to signature of common tool used esp web based packet since they will try to evade using known port like 80 and 443.

Of course, it is not all encompassing to but SSH brute force login or DirBuster detection are something in the VRT signature (so good to keep rule updated)

I was thinking of honeynet too and honeypot (passive like Honeyd) that play another virtual playground to trap thise attempt using Honeywall and also snortinline. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion detection systems.

Author Closing Comment

ID: 39707531

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question