Understanding network security monitoring (NSM)

When i was trying to install a nice GUI for Snort, i figured that im going to need something else to do what i exactly want – and that is to actually see alerts and events in the GUI dashboard. I was thinking that i just install and IDS and a front-end and that’s all, but it’s not.


network security monitoring

As you can see in the diagram above the IDS (Sensor) and the front-end (human-readable interface) are just 2 components of NSM system.

  1. The Sensor (in my case Snort) is the core of the system. It’s a packet-sniffer with analyzing capabilities, based on different sets of rules. These rules are useless if they are not up to date.
  2. To have our rules constantly up-to-date we need a dedicated piece of software or a script that handles this (in my case, PulledPork).
  3. When events occur (the sensor detects suspcisious activity based on the used rules) they are logged into a journal, in a unified2 type file.
  4. The spooler (in my case, Barnyard2) links the events in the unified2 file to the database.
  5. Now, the the Human-readable interface, or GUI (in my case Snorby) reads the data in the database and displays it nicely in the form of statistics, graphs, charts and lists.

An example of such NSM system is SmoothSec. It’s a bit more complex than what i’ve tried, but it folows the same principles.