Knoppix-NSM removes complexity of Snort-based network security monitoring


This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."

Download it now to read this article plus other related content.

right from the CD, allowing you to test the tools before choosing to go ahead with a hard-drive installation.

Knoppix-NSM provides a complete open source intrusion detection system infrastructure in a single solution. Its instant insight provides significant analysis of network traffic and your network security posture, prior to a permanent deployment.

Further, the analysis console is Sguil, developed by Bamm Visscher and featured in Richard Bejtlich's The Tao of Network Security Monitoring.


A Complete Package
In addition to Sguil and Snort, Knoppix-NSM includes tools like ntop, SANCP, Wireshark and even BASE, for its fans. Debian supporters will appreciate the presence of Debian Iceweasel, a rebranded Firefox browser that resulted from a spat between Debian and Mozilla.

Let's take a look at what you get in the Knoppix-NSM package and how it can help you monitor your network's security health:

Snort. Anyone familiar with IDS knows that Snort is the de facto standard for security practitioners. Knoppix-NSM enhances Snort functionality by utilizing Barnyard and SANCP.

Barnyard is a tool built specifically to read Snort's unified output and send it to the database, intuitively monitoring database connectivity to prevent data loss. Unified output is one of three Snort output options and enhances processing speed by relieving the Snort engine of the payload translation load (read Snort 2.1 by Jay Beale for more on this).

SANCP, the Security Analyst Network Connection Profiler, works in parallel with Snort to collect all network traffic on the listening interface, using rules to identify, record and tag traffic best described as session information. Where the Snort stream4 preprocessor usually just reassembles TCP traffic, SANCP enhances session information by adding UDP and ICMP tracking as well. This is part of what separates Sguil from the rest of the pack of analysis consoles. Sguil merges database tables, creating virtual tables that include Snort events and SANCP records that are all available for review in the console.

This was first published in October 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: