|
A Complete Package
In addition to Sguil and Snort, Knoppix-NSM includes tools like ntop, SANCP, Wireshark and even BASE, for its fans. Debian supporters will appreciate the presence of Debian Iceweasel, a rebranded Firefox browser that resulted from a spat between Debian and Mozilla.
Let's take a look at what you get in the Knoppix-NSM package and how it can help you monitor your network's security health:
Snort. Anyone familiar with IDS knows that Snort is the de facto standard for security practitioners. Knoppix-NSM enhances Snort functionality by utilizing Barnyard and SANCP.
Barnyard is a tool built specifically to read Snort's unified output and send it to the database, intuitively monitoring database connectivity to prevent data loss. Unified outpu...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
t is one of three Snort output options and enhances processing speed by relieving the Snort engine of the payload translation load (read Snort 2.1 by Jay Beale for more on this).
SANCP, the Security Analyst Network Connection Profiler, works in parallel with Snort to collect all network traffic on the listening interface, using rules to identify, record and tag traffic best described as session information. Where the Snort stream4 preprocessor usually just reassembles TCP traffic, SANCP enhances session information by adding UDP and ICMP tracking as well. This is part of what separates Sguil from the rest of the pack of analysis consoles. Sguil merges database tables, creating virtual tables that include Snort events and SANCP records that are all available for review in the console.
|
 |
|
