Simple Network Security Monitoring Tools

Wednesday, September 14, 2011

Dan Dieterle


If you want a robust, cost effective and easy to use Intrusion Detection System (IDS) and Network Security  Monitoring (NSM) platform, look no further than Doug Burk's “Security Onion”.

Security Onion:

“Security Onion is a Linux distro that contains software used for installing, configuring, and testing Intrusion Detection Systems. It is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Xplico, nmap, scapy, hping, netcat, tcpreplay, and many other security tools.”

What is great about Security Onion is that it takes all the guess work out of setting up an effective IDS and takes the output of intrusion attempts and displays the critical ones in a nice user interface called Sguil. (Click image to enlarge):


You can install Security Onion to a new machine, or just run it as a live CD to check it out. Running Security Onion with two network cards installed and matching it to a Dualcomm port mirroring device provides a cheap but powerful monitoring system.

When two network cards are installed with Security Onion, one is configured as a monitoring only sensor and the other is configured to connect to your internal LAN.

Simply connect the Dualcomm port mirroring device inline with whatever traffic you want to monitor. Then connect your sensor line from Security Onion to the mirrored port and you can analyze all your network traffic live.

Another cool feature of Security Onion is that it keeps a copy of all of your network traffic stored in a daily log file.

Now if all the tools that are included in Security Onion are just not enough for you (and trust me there is a ton of them!), you can take the raw daily captures directly from Security Onion and analyze them in Netwitness Investigator.

Netwitness Investigator:

“NetWitness® Investigator is the award-winning interactive threat analysis application of the NetWitness enterprise network monitoring platform. Investigator provides security operations staff, auditors, and fraud and forensics investigators the power to perform unprecedented free-form contextual analysis of raw network data captured and reconstructed by the NetWitness enterprise security platform.”

Simply navigate to the NSM directory on your Security Onion installation, then to the sensor directory, then to the nic used for monitoring, and finally the daily logs directory. Then choose a log file. The files cap out at 128 MB by default and then another file is created with an incremented number in the file name. A sample file name would be “snort.log.1315337092“.

Next copy that file off to a flash drive and import it directly into your Windows system running NetWitness Investigator.

Investigator then parses the information and gives you an amazing view of the packets captured. At the top, the program lists any threats that it detects as warnings. It also breaks the data down into easily navigable headings like Service Type, Source & Destination Country, City and IP address. (CLick image to enlarge):


You can then drill down from high level topics like Destination Country to recreations of the actual data sent in a few clicks. You can look at the information transferred including scripts, programs, pictures and videos. You can also search the entire data collected for phone numbers, credit cards, hacker terms, date/time or location.

Finally, Investigator supports Google Earth to view packet travel and location data. Security Onion & Netwitness Investigator, a powerful threat detection combination.

Cross-posted from Cyber Arms

Possibly Related Articles:
Information Security
Tools Scanning network monitoring IDS/IPS Security Onion NetWitness
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.