2

Say you're having a basic LAN-infrastructure (a Router, a Firewall, a switch connected with multiple access points, a server and multiple clients). I want to be able to detect malicious traffic flowing through the network by studying the packets content.

I can for example set the clients network adapters in promiscous mode (e.g. running Wireshark). But this puts extra load on the clients and doesn't show you the whole picture.

How would I be able to get a general overview of the traffic flowing through my devices? Is there a system available that for example can collect all the different important logs my devices are generating without being overwhelmed by duplicate or irrelevant information?

Programmer1994
  • 121
  • 1
  • It sounds like you're asking about something like a SIEM - many can consume both logs and flow data. I don't know whether or not SIEMs can do topology-aware flow duplication, though. – Royce Williams Oct 26 '17 at 00:28

1 Answers1

1

Snort is an open source packet inspection tool that is designed to do exactly what you are looking for. It requires a box with plenty of processing capacity; and it is generally hooked up to a span port on your switch in order to see all the traffic flowing on your network.

John Deters
  • 33,650
  • 3
  • 57
  • 110