Firewall Wizards mailing list archives
Re: Taking a traffic snapshot with network IDS
From: Farrukh Haroon <farrukhharoon () gmail com>
Date: Mon, 21 Jun 2010 16:51:39 +0300
Instead of capturing each packet, you would be better off going via the Netflow Path IMHO. There are a number of free netflow analyzers available on the Internet e.g.: http://www.plixer.com/products/netflow-sflow/free-netflow-scrutinizer.php http://www.solarwinds.com/products/freetools/netflow_analyzer.aspx http://www.paessler.com/ ( I think they offer one netflow sensor in the free version) Regards Farrukh On Fri, Jun 18, 2010 at 4:58 PM, Yack, Daniel <dyack () aiminspections com>wrote:
There are probably one thousand ways to do this, but I wanted to toss this out… For simplicity, let’s just say I’m watching traffic from an internet router to my core router(s). That’s the only segment I’m interested in. The goal is for me to discover out all ‘normal’ traffic in my environment, and take a snapshot of that. By snapshot, I mean gather traffic for 24 hours. Then review all of it manually, and create a template that says “alert when you find something that isn’t in this list”. I realize this is a pretty simple problem – but getting back to basics is always a good thing. I do have some linux experience, but am not a ‘power user’. Any ideas on tools or what to use for this? An IDS/IPS is probably the answer here, right? If so, which kind…perhaps snort? I consider myself a firewall guy but am ashamed I’ve never used it!! Oh…as far as hardware available: Doing this is in a lab first, which has: Cisco for the internet router, going through Fortigate and/or Checkpoint firewalls, into a Cisco core layer 3 switch. Also I have a few linux platforms but they’re tasked for other things over there. Don’t over-analyze the network topology, I can always move or make more than one IDS if needed. Any ideas? Perhaps someone has done this before? -Dan _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Taking a traffic snapshot with network IDS Yack, Daniel (Jun 21)
- Re: Taking a traffic snapshot with network IDS Farrukh Haroon (Jun 21)
- Re: Taking a traffic snapshot with network IDS Marcus J. Ranum (Jun 21)
- Re: Taking a traffic snapshot with network IDS vern (Jun 21)