Solved

SNORT- network monitoring

Posted on 2013-12-07
7
852 Views
Last Modified: 2016-03-23
I am setting a passive network monitoring system.  By that I mean it will monitor any irregular traffic and any irregular poke on computer TCPIP ports by initially establish a base traffic and ports that are allowed to be accessed.  The system should alarm any irregular activities within the network.  Is there any software beside SNORT will do the job.  I will need daily report as well as incident reports.  They should be created automatically.  Any idea what is needed to setup such a system.
0
Comment
Question by:tommym121
  • 3
  • 2
  • 2
7 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points
ID: 39704005
There is a winIDS (from Snort too), there is quite a coverage on the guides at the left side bar) http://www.winsnort.com/index.php?module=Pages&func=display&pageid=8

Another example e.g. http://www.aboutdebian.com/snort.htm
http://www.linuxuser.co.uk/tutorials/protect-your-network-with-snort

You can also find a cmd based manual in html mode for snort.
Specifically can check out the NIDS mode
http://manual.snort.org/
http://manual.snort.org/node6.html

Worth for exploration purpose e.g. Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools.

https://code.google.com/p/security-onion/

Can check out comparison btw snort/suricata/bro (can be out-dated but as kickstarter)
http://blog.securitymonks.com/2010/08/26/three-little-idsips-engines-build-their-open-source-solutions/

> Suricata which is another good candidate as the Open Source Next Generation Intrusion Detection and Prevention Engine. Supposedly to be multi-threaded alternative to Snort
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/What_is_Suricata
http://www.openinfosecfoundation.org/
http://wiki.aanval.com/wiki/Snort_vs_Suricata

> Another Bro is an open source Unix based network monitoring framework. Often compared to a Network intrusion detection systems (NIDS), Bro can be used to build an NIDS but is much more.
http://www.bro.org/sphinx/intro/index.html
http://www.appliednsm.com/shmoocon-2013-bro-slides-and-video/

========
Slightly out if interested is the passive network discovery

Metasploit's MetaModule
https://community.rapid7.com/community/metasploit/blog/2013/10/09/passive-network-discovery-sniffing-for-network-discovery-with-metasploits-metamodules

and

This SAN paper(it has "Passive Network Mapping" section)
http://www.sans.org/security-resources/idfaq/passive_vuln.php
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 39704173
Snort, Bro and Suricata will not do what you want, they are not traffic profilers. You will have to invest in a few hundred thousand dollars for that type of tech, look at Netwitness or maybe FireEye. Some UTM's or NGFW's may do this too, but they rely on agents being installed on the computers, not just passively looking at the traffic.

We've had netwitness for a few years and the one thing I do know is it's not worth the $$. An IDS will do a good job, we've been more impressed using HIDS's because they can pick up on the executeables being used and report/alert when something new comes along. We started with OSSEC, but developed our own scripts and agents that we use quite effectively. You can almost do the same thing using a good SIEM log manager if you turn up the process logging of windows, but that too costs.

Why do you want to profile the traffic? There are going to be a ton of false positives unless you really expect static behavior from that network segment.
-rich
0
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points
ID: 39704214
IDS based is sieving and alerting the signature from the rule configured and if see the need to reveal anomalous traffic besides those out of the signature or surface reconnaissance type of traffic (part of the cyber kill chain) or even brute force, there can be rule to surface bot type initiated traffic ... modsecurity has such and most of the app aware network security device. Eventually the SIEMS is the one gathering all the sensor log (syslog primarily) and having correlation rules to escalate alerts to some case mgmt like Archer etc for triaging.

Yes you need to baseline the norm to differentiate from the abnormal. Solera (under Bluecoat now) , Netscout, Fidelis XPS is another network forensic. Ntop is one worth exploring further too....
http://www.forensicswiki.org/wiki/Network_forensics
http://www.forensicswiki.org/wiki/Ntop

How to Create an Open Source Network Forensics Appliance
http://www.forensicfocus.com/open-source-network-forensics-appliance-howto
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 39704222
For a network forensic or profiler to be effective, an IDS isn't good enough unless you can write some very intricate rules. Port anomalies would be easy to spot, this is where Egress filtering would be a better choice however. Filtering outbound traffic and having an alert using the FW log would be very effective for non-approved/expected ports. Keeping it simple that way too. Then there is content or unexpected SSL, where you could write a rule for some of that, but again you'd need a really static and bland network to do it with IDS rules. At least I would, I see the traffic in my network (ala netwitness) and if I investigated all of it, I'd waste everyone's time. There is so much going on, things not working, things being turn up/down, new installs, that it's impossible in my large environment to keep up with change controls and what I see in netwitness.
A baseline for my network doesn't exist, we aren't compartmentalized enough :( I wish we were, then I could realy be down with network profiling, but for me, and most places I've done consulting for, it's not possible.
-rich
0
 

Author Comment

by:tommym121
ID: 39704978
Thanks for all your inputs.  In my case,  I am dealing with an isolated network segment and protected with firewall and IDS.  Within the isolated network segment, I have approx 10 computers.  7 servers and 3 clients PC.  The servers is running a dedicated server software for a specific port and the client machines will be running a client software to communicate with this 7 servers.  All systems will be running windows server and will be stripped down the bare minimum functionality.

The passive network monitoring system will be place in this isolated network segment to
1. determine if any one scanning the network.
2. determine who is doing the scanning
3. act as a first line of detection there may be a possible intrusion to the network.
4. profile network traffic (only for the reason of detecting intrusion; if there is a more efficient way to detect intrusion, network traffic profiler is optional).

What will you suggested for a passive network monitoring system based on this description?
0
 
LVL 61

Accepted Solution

by:
btan earned 300 total points
ID: 39705033
The network forensic and ids can do well as long as they are deployed strategically at the egress and ingress pt. Recon activities such as scanning, port knocking or even brute force should be able to surface specific to signature of common tool used esp web based packet since they will try to evade using known port like 80 and 443.
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-12-034-01

Of course, it is not all encompassing to but SSH brute force login or DirBuster detection are something in the VRT signature (so good to keep rule updated)
http://www.snort.org/vrt/docs/ruleset_changelogs/2_9_3_1/changes-2013-06-20.html

I was thinking of honeynet too and honeypot (passive like Honeyd) that play another virtual playground to trap thise attempt using Honeywall and also snortinline. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion detection systems.
http://www.honeynet.org.es/papers/honeywall/
http://www.giac.org/paper/gsec/97/honey-pots-intrusion-detection/100494
0
 

Author Closing Comment

by:tommym121
ID: 39707531
Thanks
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now