NETWORK
SECURITY MONITORING DIFFERENT USE TOOLS
I am a huge
fan of Network Security Monitoring (NSM). If you run your own network and don’t
know
what that is, run out (don’t walk) and buy “The Tao
of Network Security Monitoring, Beyond
Intrusion Detection
Basically NSM is a system of capturing all of your
network traffic, sometimes at multiple points in
your network, and analyzing it for intrusions or
anomalies.
If you think that you can’t afford a NSM system,
think again. One of the most commonly used one is
free!
“Security Onion”2, created by Doug Burks, is an
extremely capable and feature rich NSM that is
completely free. All you need is a fairly decent
computer to run it on, a network tap and at least two
network cards.
Security Onion allows you to capture network traffic
and then analyzes it for issues and notifies you
with alerts in a fairly easy to use interface.
Below are a couple screenshots of Security Onion in
action. The first one shows a slew of alerts that
are triggered when I tried to run Backtrack’s (the
previous version of Kali) Autopwn against a system
on the network:
As you can see there are multiple warnings and
alerts. The last line records 172 (CNT column)
incidents of one alert!
Security Onion is also capable of capturing TOR use
on your network. TOR is an anonymizing
protocol that uses encrypted communication that is
bounced around the world to help anonymize
users. TOR can be used for good, but hackers also
use TOR to hide their attacks.
Here is what happened why I used TOR on my test
network monitored by Security Onion:
Notice that multiple yellow “Known TOR Exit Node
Traffic” alerts are raised.
Security Onion has a slew of features &
tools, makes analyzing & tracking network traffic much
easier, and also alerts you when it sees suspicious
traffic.