[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


SNORT- network monitoring

Posted on 2013-12-07
Medium Priority
Last Modified: 2016-03-23
I am setting a passive network monitoring system.  By that I mean it will monitor any irregular traffic and any irregular poke on computer TCPIP ports by initially establish a base traffic and ports that are allowed to be accessed.  The system should alarm any irregular activities within the network.  Is there any software beside SNORT will do the job.  I will need daily report as well as incident reports.  They should be created automatically.  Any idea what is needed to setup such a system.
Question by:tommym121
  • 3
  • 2
  • 2
LVL 65

Assisted Solution

btan earned 1200 total points
ID: 39704005
There is a winIDS (from Snort too), there is quite a coverage on the guides at the left side bar) http://www.winsnort.com/index.php?module=Pages&func=display&pageid=8

Another example e.g. http://www.aboutdebian.com/snort.htm

You can also find a cmd based manual in html mode for snort.
Specifically can check out the NIDS mode

Worth for exploration purpose e.g. Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools.


Can check out comparison btw snort/suricata/bro (can be out-dated but as kickstarter)

> Suricata which is another good candidate as the Open Source Next Generation Intrusion Detection and Prevention Engine. Supposedly to be multi-threaded alternative to Snort

> Another Bro is an open source Unix based network monitoring framework. Often compared to a Network intrusion detection systems (NIDS), Bro can be used to build an NIDS but is much more.

Slightly out if interested is the passive network discovery

Metasploit's MetaModule


This SAN paper(it has "Passive Network Mapping" section)
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 800 total points
ID: 39704173
Snort, Bro and Suricata will not do what you want, they are not traffic profilers. You will have to invest in a few hundred thousand dollars for that type of tech, look at Netwitness or maybe FireEye. Some UTM's or NGFW's may do this too, but they rely on agents being installed on the computers, not just passively looking at the traffic.

We've had netwitness for a few years and the one thing I do know is it's not worth the $$. An IDS will do a good job, we've been more impressed using HIDS's because they can pick up on the executeables being used and report/alert when something new comes along. We started with OSSEC, but developed our own scripts and agents that we use quite effectively. You can almost do the same thing using a good SIEM log manager if you turn up the process logging of windows, but that too costs.

Why do you want to profile the traffic? There are going to be a ton of false positives unless you really expect static behavior from that network segment.
LVL 65

Assisted Solution

btan earned 1200 total points
ID: 39704214
IDS based is sieving and alerting the signature from the rule configured and if see the need to reveal anomalous traffic besides those out of the signature or surface reconnaissance type of traffic (part of the cyber kill chain) or even brute force, there can be rule to surface bot type initiated traffic ... modsecurity has such and most of the app aware network security device. Eventually the SIEMS is the one gathering all the sensor log (syslog primarily) and having correlation rules to escalate alerts to some case mgmt like Archer etc for triaging.

Yes you need to baseline the norm to differentiate from the abnormal. Solera (under Bluecoat now) , Netscout, Fidelis XPS is another network forensic. Ntop is one worth exploring further too....

How to Create an Open Source Network Forensics Appliance
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 800 total points
ID: 39704222
For a network forensic or profiler to be effective, an IDS isn't good enough unless you can write some very intricate rules. Port anomalies would be easy to spot, this is where Egress filtering would be a better choice however. Filtering outbound traffic and having an alert using the FW log would be very effective for non-approved/expected ports. Keeping it simple that way too. Then there is content or unexpected SSL, where you could write a rule for some of that, but again you'd need a really static and bland network to do it with IDS rules. At least I would, I see the traffic in my network (ala netwitness) and if I investigated all of it, I'd waste everyone's time. There is so much going on, things not working, things being turn up/down, new installs, that it's impossible in my large environment to keep up with change controls and what I see in netwitness.
A baseline for my network doesn't exist, we aren't compartmentalized enough :( I wish we were, then I could realy be down with network profiling, but for me, and most places I've done consulting for, it's not possible.

Author Comment

ID: 39704978
Thanks for all your inputs.  In my case,  I am dealing with an isolated network segment and protected with firewall and IDS.  Within the isolated network segment, I have approx 10 computers.  7 servers and 3 clients PC.  The servers is running a dedicated server software for a specific port and the client machines will be running a client software to communicate with this 7 servers.  All systems will be running windows server and will be stripped down the bare minimum functionality.

The passive network monitoring system will be place in this isolated network segment to
1. determine if any one scanning the network.
2. determine who is doing the scanning
3. act as a first line of detection there may be a possible intrusion to the network.
4. profile network traffic (only for the reason of detecting intrusion; if there is a more efficient way to detect intrusion, network traffic profiler is optional).

What will you suggested for a passive network monitoring system based on this description?
LVL 65

Accepted Solution

btan earned 1200 total points
ID: 39705033
The network forensic and ids can do well as long as they are deployed strategically at the egress and ingress pt. Recon activities such as scanning, port knocking or even brute force should be able to surface specific to signature of common tool used esp web based packet since they will try to evade using known port like 80 and 443.

Of course, it is not all encompassing to but SSH brute force login or DirBuster detection are something in the VRT signature (so good to keep rule updated)

I was thinking of honeynet too and honeypot (passive like Honeyd) that play another virtual playground to trap thise attempt using Honeywall and also snortinline. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion detection systems.

Author Closing Comment

ID: 39707531

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question