Currently installed and configured snort and snorby for my home network to gather data. Im just wondering how to gather and analyze all these data which you are receiving by these tools. As you might know these tools giving you loads of information about the incoming traffic. If there is any harmful or suspicious traffic on your home network how you can capture and analyzing them?
Snorby by default will have a user interface to analyze the logs. check this online demo https://www.youtube.com/watch?v=DdHdGkGPxoE
similarly SecurityOnion also has its own ELSA based analytics , google for more
Thank you for feedback, i do get all these messages but just wonder how its possible to diagnose the bad traffic from the good traffic especially in my case i`m trying to analyse my home network traffic.
Instead of running Snort in sniffer mode, which reads the packets and display all the packets, we can configure and run Snort in Network Intrusion Detection (NIDS) mode. In NIDS mode, snort performs the detection and analysis on captured traffic using configured signatures and generate alerts when it detects any packets which contain attack pattern(signature) in it. By analyzing these alerts, we can identify the suspicious traffic details. These alerts can be viewed using Snorby also. For more details , please refer snort users manual.
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/
The most challenging thing using a network-based intrusion detection system such as Snort is distinguishing bad traffic from good. Typically, Snort is quite vocal and triggers on many issues that are either less relevant (e.g. pre-attack activities) or false alarms. Professional security analysts therefore use a significant amount of time on fine-tuning the IDS rules to balance the tradeoff between situation awareness and being flooded by irrelevant information. Higher order IDS systems typically try to correlate this information automatically, for example based on learning which alarms that are important and which are not. This can take the form of decision support systems which manifest and share the knowledge of the security analyses. We did research on using ontologies for this in a previous EU project I was working on (PRECYSE).
If the Snort matches the traffic with any of the signatures it raises an alert. These are intrusion alerts could be seen in Snorby or console. Same with Security onion . you need to see for alerts raised by these IDS's
- Badges
- Science topic
- Similar topics
- Engineering
- Computer Engineering