Use open-source software to build a network security monitoring system

This article Reprinted from: http://www.iii-soft.com/forum.php? MoD = viewthread & tid = 1517.

This paper proposes that the use of open-source software to build an NSM System (Network Security Monitoring System) is similar to the security management platform that has been promoted many times in the industry. However, as an open-source software, NSM is mainly used for auditing.
Richard bejtlich, the author of the article, is a senior consultant at foundstond. He has participated in multiple FBI projects and is responsible for training FBI personnel.
The translation is done by the gray guitar.
Main monitoring measures for traffic aggregation:
We recommend that you use Netgear for a hub. You can select a proper type of product based on network traffic.
Tap (Test
Access port), you can copy traffic to two ports, but the price is expensive, about $400.
Inline (built-in) If you use software as a firewall or router (such as Linux or BSD), you can install monitors on such devices, but consider system performance.
Span (border Image Port) If your vswitch or vro supports the border Image Port, you can use this method to aggregate traffic.

We recommend that you use FreeBSD or OpenBSD as the operating system based on the security and Fast deployment features of UNIX systems. System deployment can be completed in 30 minutes to 1 hour if necessary.
It is necessary to establish advance drill measures, perform necessary system reduction, enable the minimum service, and use it as the operating system master for filling applications.
During the installation of the monitoring system, partition planning is required to record the log information to a separate partition. Once the log information is too large, the system space is not filled up with log information, it is conducive to the stable operation of the system.

Several software used to build NSM are mentioned in this article:
Tcpdump for content collection
Snort intrusion detection system
Argus is used for session collection
The trafd/trafshow statistical software is used to measure the real-time communication status on a network card.
Sguil frontend, used to collect information from the above tools, including alarm information

Tcpdump Installation Method

Frequently Used Parameters
-I: Network Interface
-C <n> stop listening when n Packets are captured.
-W: Write to file
-R: read data from a file
-N no reverse host name resolution
-S <size>
The number of bytes captured in each packet.
-X uppercase X, which decodes ASCII data
-For tttt 3.6 or later versions, use this parameter to display the date and timestamp of each data packet.

Typical commands
Tcpdump-n-I
Eth1-s 1514-W/NSM/cap. LPC

Tcpdump-n-tttt-X-r/NSM/cap. LPC | less

The common filter conditions are as follows:
Host 10.10.2.2 and port 80
Net 192.168 and not port 53

Argus
It is divided into clients and servers, and the server is responsible for recording and detection. The client Ra is used for log file analysis.
Function: records all session records. Although no content is recorded, it records the time at which IP addresses are connected to which IP addresses through which ports.

Argus server commands
Common Parameters
-I: Network Interface
-N: Specify the PID file name.
-C generates a PID file name
-D deamon
-W <FILENAME> specifies to save the file
-R <FILENAME> generates session data from pcap files.

Common usage

Argus-I eth0-N/root/Argus. PID-c-d-W/NSM/cap. argus

Argus can be analyzed from the data stored in tcpdump:
Argus-N/root/Argus. PID-c-d-r/NSM/cap. LPC-W/NSM/cap. argus
Argus Client Command 'A'
Common parameters:
-A summary of the statistics displayed at the end
-C: displays the number of source and destination bytes and the number of packets.
-N do not translate IP addresses and ports into names
-R <FILENAME> specifies the file name for reading Argus data.
-Z or-z B: specify more TCP/IP
Status/flags
-<BPF filter> specify the BPF filter conditions.
Write the result to a file using the redirection symbol '>'

Common commands:
Ra-a-c-n-r cap. Argus-z B not ARP
Many fields, especially 'status', can be decoded on the RA man page'
ACC: accepted connection
Est: established connection
TIM: timeout connection
As the most classic intrusion monitoring system, Snort does not analyze it here. It only provides several common commands and parameters:
Snort-V (uppercase V, used to verify snort installation)
Snort-B-l/NSM/snort-a full-C/usr/local/src/snort/etc/snort. conf
This command tells snort from/usr/local/src/snort/etc/snort. the conf file reads configuration information and records logs in binary format to the/NSM/snort directory to record all alert data.

Trafd is a tool used to collect Network Interface data and display the current connection status.
Usage:
Data collection: trafd-I
<Interface>
Data parsing: trafstat-I <interface>
MAN information can be obtained online:
Http://bpft.by.ru/man_trafd.html
Http://bpft.by.ru/man_trafstat.html

Trafshow is similar to trafd, but is used to measure the real-time statistics of Network Interfaces. Its usage is as follows:
Trafshow-I <intreface>-n <BPF expression>

Sguil objective:
Written by an analyst
Collects and generates events, sessions, and all content sessions generated by snort
Almost all data (such as setting or clearing alarms) that needs to be made can be clicked with one or two mouse clicks.
The C/S mode allows the server to run in a Unix-like environment, while the client can run in Unix or windows.
In the future, the new version may allow more monitoring and alarm tools to collect data through sguil.