Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Visualizing LAN traffic



The commercial IDS system Sourcefire offers uses a "contextualization"
technology that eliminates many of the "false positives" snort generates.
 For example, Sourcefire will show you all events, but gives you the option
to only look at the ones that weren't blocked by inline mode.  Further,
data is collected per IP address and correlated.  This is helpful when you
have a single IP sending odd traffic, you can click the IP and see
everything that has happened on that IP, including logins, services,
usernames that have been transmitted, etc.  Unfortunately the commercial
IDS system lists starting at about $15,000.

One key feature that I would really like is if instead of showing me
destination IP addresses I was shown destination IP addresses + geographic
locations.  I tend to worry less about traffic to and from the US than I do
from China or Russia.  I am also more concerned with alerts generated after
hours than during regular business hours.  In short, the open source
version of Snort lacks the ability to understand business rules.  This
limitation really reduces the usefulness of Snort as a tool.

If anyone is really interested in starting to write
some customizations that would help with visualization I would be thrilled
to participate.

Chris

On Thu, Jan 19, 2012 at 5:50 PM, Daniel C. <dcrookston at gmail.com> wrote:

> On Thu, Jan 19, 2012 at 5:34 PM, Tom Metro <tmetro-blu at vl.com> wrote:
> > Anyone seen a tool for visualizing LAN traffic? Something that can
> > distill what's going on down to a dynamic infographic of sorts, with
> > ways of indicating unusual behavior?
>
> On Monday I'm starting a class on data visualization.  I was thinking
> of taking on something like this for the final project.  The idea that
> someone would find such a tool useful makes me more than marginally
> more interested.
>
> > I've heard of tools that let you listen to LAN traffic, where supposedly
> > you can easily hear the differences when something unusual happens. But
> > I'd expect such a tool to get annoying fast.
>
> I think I'd actually enjoy having something like that.  You could have
> the volume down low enough that it would become background noise, and
> you'd only notice it if something changed.  Just like machinery in a
> factory or something.
>
> -Dan
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
Chris O'Connell
http://outlookoutbox.blogspot.com



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org