Snorby with Suricata
With the increase in the number of machines that are being unwittingly used for internet based attacks, it is obvious that businesses will need to have a way of finding out if any of their machines are affected. I had been looking for a while for a solution that is current and receives updates. I had found some old open source solutions, but it seemed as if the authors have gone on to other things and have abandoned the code. I finally came across a web based alert frontend called Snorby, that looked as if it was regularly maintained, along with a backend packet collection systen called Suricata, that also seems to have a lot of activity. The next problem that I had was related to collecting the network packets from a router, because Suricata requires its logfiles are located on the same machine that it is running on, so I ended up having to write a script that would run Tcpdump on the router, via ssh, so that the data could be streamed to the server where suricata is installed. This allows even a router with only flash memory, to be used as a sensor to collect data about the network traffic.