SNORT- network monitoring

I am setting a passive network monitoring system.  By that I mean it will monitor any irregular traffic and any irregular poke on computer TCPIP ports by initially establish a base traffic and ports that are allowed to be accessed.  The system should alarm any irregular activities within the network.  Is there any software beside SNORT will do the job.  I will need daily report as well as incident reports.  They should be created automatically.  Any idea what is needed to setup such a system.
Who is Participating?
btanExec ConsultantCommented:
The network forensic and ids can do well as long as they are deployed strategically at the egress and ingress pt. Recon activities such as scanning, port knocking or even brute force should be able to surface specific to signature of common tool used esp web based packet since they will try to evade using known port like 80 and 443.

Of course, it is not all encompassing to but SSH brute force login or DirBuster detection are something in the VRT signature (so good to keep rule updated)

I was thinking of honeynet too and honeypot (passive like Honeyd) that play another virtual playground to trap thise attempt using Honeywall and also snortinline. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion detection systems.
btanExec ConsultantCommented:
There is a winIDS (from Snort too), there is quite a coverage on the guides at the left side bar)

Another example e.g.

You can also find a cmd based manual in html mode for snort.
Specifically can check out the NIDS mode

Worth for exploration purpose e.g. Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools.

Can check out comparison btw snort/suricata/bro (can be out-dated but as kickstarter)

> Suricata which is another good candidate as the Open Source Next Generation Intrusion Detection and Prevention Engine. Supposedly to be multi-threaded alternative to Snort

> Another Bro is an open source Unix based network monitoring framework. Often compared to a Network intrusion detection systems (NIDS), Bro can be used to build an NIDS but is much more.

Slightly out if interested is the passive network discovery

Metasploit's MetaModule


This SAN paper(it has "Passive Network Mapping" section)
Rich RumbleSecurity SamuraiCommented:
Snort, Bro and Suricata will not do what you want, they are not traffic profilers. You will have to invest in a few hundred thousand dollars for that type of tech, look at Netwitness or maybe FireEye. Some UTM's or NGFW's may do this too, but they rely on agents being installed on the computers, not just passively looking at the traffic.

We've had netwitness for a few years and the one thing I do know is it's not worth the $$. An IDS will do a good job, we've been more impressed using HIDS's because they can pick up on the executeables being used and report/alert when something new comes along. We started with OSSEC, but developed our own scripts and agents that we use quite effectively. You can almost do the same thing using a good SIEM log manager if you turn up the process logging of windows, but that too costs.

Why do you want to profile the traffic? There are going to be a ton of false positives unless you really expect static behavior from that network segment.
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

btanExec ConsultantCommented:
IDS based is sieving and alerting the signature from the rule configured and if see the need to reveal anomalous traffic besides those out of the signature or surface reconnaissance type of traffic (part of the cyber kill chain) or even brute force, there can be rule to surface bot type initiated traffic ... modsecurity has such and most of the app aware network security device. Eventually the SIEMS is the one gathering all the sensor log (syslog primarily) and having correlation rules to escalate alerts to some case mgmt like Archer etc for triaging.

Yes you need to baseline the norm to differentiate from the abnormal. Solera (under Bluecoat now) , Netscout, Fidelis XPS is another network forensic. Ntop is one worth exploring further too....

How to Create an Open Source Network Forensics Appliance
Rich RumbleSecurity SamuraiCommented:
For a network forensic or profiler to be effective, an IDS isn't good enough unless you can write some very intricate rules. Port anomalies would be easy to spot, this is where Egress filtering would be a better choice however. Filtering outbound traffic and having an alert using the FW log would be very effective for non-approved/expected ports. Keeping it simple that way too. Then there is content or unexpected SSL, where you could write a rule for some of that, but again you'd need a really static and bland network to do it with IDS rules. At least I would, I see the traffic in my network (ala netwitness) and if I investigated all of it, I'd waste everyone's time. There is so much going on, things not working, things being turn up/down, new installs, that it's impossible in my large environment to keep up with change controls and what I see in netwitness.
A baseline for my network doesn't exist, we aren't compartmentalized enough :( I wish we were, then I could realy be down with network profiling, but for me, and most places I've done consulting for, it's not possible.
tommym121Author Commented:
Thanks for all your inputs.  In my case,  I am dealing with an isolated network segment and protected with firewall and IDS.  Within the isolated network segment, I have approx 10 computers.  7 servers and 3 clients PC.  The servers is running a dedicated server software for a specific port and the client machines will be running a client software to communicate with this 7 servers.  All systems will be running windows server and will be stripped down the bare minimum functionality.

The passive network monitoring system will be place in this isolated network segment to
1. determine if any one scanning the network.
2. determine who is doing the scanning
3. act as a first line of detection there may be a possible intrusion to the network.
4. profile network traffic (only for the reason of detecting intrusion; if there is a more efficient way to detect intrusion, network traffic profiler is optional).

What will you suggested for a passive network monitoring system based on this description?
tommym121Author Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.