Published: 01 Oct 2007
Snort alone doesn't give you a complete network security monitoring tool, and integrating and using all the pieces you need may be frustrating. The popular BASE console, for example, is often used with Snort, but like all Web-based consoles, it lacks speed, doesn't provide real-time alerting and has limited analysis functionality.
But now this critically important security capability can be well within your means, thanks to The Tao of Network Security Monitoring.
| Unlike Web-based consoles like BASE, Sguil is fast and makes it easy to spot potentially dangerous events.
BASE, the Basic Analysis and Security Engine, is the standard-bearer of Web-based consoles. Web-based consoles are known for sluggishness, and BASE does not scale well to the enterprise level. BASE can slow down Snort on Knoppix-NSM as it has to log for BASE and "unified" for Barnyard. BASE is great for demonstration or educational purposes, but be aware of the cost to performance. You'll also find less pertinent information available in the console than you would with Sguil.
Still, Web-based consoles are convenient, and it never hurts to put a different perspective on events.
Ntop, or network top, which is also browser-based, illustrates network usage and status from a variety of perspectives. A standalone application that works separately from all Snort-related applications, ntop acts as the "statistician" for Knoppix-NSM. It allows you to sort/show network traffic according to many protocols/criteria, display and store traffic statistics, identify users and host OS, sort according to source/destination, and report IP protocol usage. It's worthy of a standalone installation, simply for the return on investment (much for nothing) and ease of use and installation.
| Ntop's wealth of network traffic data makes it invaluable as a Snort companion or standalone tool.
|NSM on Demand
LiveCD gives you instant (almost) network security monitoring.
This figure shows a simple architecture that matches what you'd be utilizing via the Knoppix-NSM LiveCD in its default configuration, as well as the NSM framework utilized by this distribution.
Source: Intelguardians (http://www.intelguardians.com/snortguis.pdf)
Once you've booted from the Knoppix-NSM LiveCD, you can immediately start monitoring using the following command sequences:
Organizations already running IDS in some form can still put Knoppix-NSM to good use:
- Quick deployment. Say you've been dispatched to a remote site to assess the security posture of a recent acquisition. It's doing the bare minimum, content to assume all is well because it has a firewall. With permission from management, and the cooperation of a network engineer, you boot up Knoppix-NSM and connect to a SPAN port on a core network switch. You quickly determine that all in fact is not well, and extensive remediation will be required before joining the acquired network to your well-protected, monitored and maintained existing network.
- Instant console. Your Snort farm is well managed and performs its purpose, but you're in need of an additional console immediately. This is often useful to compare console attributes or provide additional perspective. Sguil in particular offers analysis functionality considered by many NSM practitioners to be superior to any other console.
- Learning and testing. Knoppix-NSM is the ideal framework for teaching and testing. Perhaps your security operations staff is growing and you need to set up a classroom environment with minimal hardware and effort. Imagine an attack-and-defend approach where Knoppix-NSM is running on a central server. Half of your class is running a Sguil console via Knoppix-NSM, and the other half is attacking virtual victims. With the aid of virtual machines and a few surplus laptops/desktops, you can show your new junior analysts the benefits of a well-monitored network.