Snorby with Suricata

Snorby dashboard

With the increase in the number of machines that are being unwittingly used for internet based attacks, it is obvious that businesses will need to have a way of finding out if any of their machines are affected. I had been looking for a while for a solution that is current and receives updates. I had found some old open source solutions, but it seemed as if the authors have gone on to other things and have abandoned the code. I finally came across a web based alert frontend called Snorby, that looked as if it was regularly maintained, along with a backend packet collection systen called Suricata, that also seems to have a lot of activity. The next problem that I had was related to collecting the network packets from a router, because Suricata requires its logfiles are located on the same machine that it is running on, so I ended up having to write a script that would run Tcpdump on the router, via ssh, so that the data could be streamed to the server where suricata is installed. This allows even a router with only flash memory, to be used as a sensor to collect data about the network traffic.