Need something like intrusion detection for internal host monitoring

General support questions
Post Reply
jamesNJ
Posts: 20
Joined: 2015/02/25 21:49:44

Need something like intrusion detection for internal host monitoring

Post by jamesNJ » 2018/04/19 04:58:44

Hello all,

I need something like a packet or intrusion detection system which is designed to passively listen to network traffic and keep an active catalog of machines (likely by MAC address) that are alive on the existing segment. Such software would find new hosts, keep track of their existence on the network, and possibly trigger alerts or scripts when new/unknown hosts are observed.

This is mainly for keeping tabs on what joins and leaves our LAN segment.

I don't want to use ping sweeps or similar methods to actively scan networks ... I already have nessus and other security products.

Passive monitoring is preferred as I can tap into the necessary span ports on our switch to do this and generate no additional overhead.

Can anyone point me to something that comes close to that?

desertcat
Posts: 843
Joined: 2014/08/07 02:17:29
Location: Tucson, AZ

Re: Need something like intrusion detection for internal host monitoring

Post by desertcat » 2018/04/19 08:51:40

DISCLAIMER: I have no idea if it would work or not but there is a program called "tripwire". Worth *maybe* checking out.


jamesNJ
Posts: 20
Joined: 2015/02/25 21:49:44

Re: Need something like intrusion detection for internal host monitoring

Post by jamesNJ » 2018/04/19 20:18:55

Thanks to both of you for your responses.

I'm looking for something a little more automated ... almost something like snort or similar, but not necessarily for intrusion detection but rather for passive network host monitoring.

What I'm really driving at is that I looked around and didn't see anything really close to what I desired, and thought I would ask the community before I started to write my own.

arpwatch might be a good start -- I'll need to look at it more closely. I may end up using tcpdump with a very tiny input buffer to only capture the necessary MAC, TCP, and port information .. and then log it somewhere for tracking and alerting.

If anyone else has ideas please let me know. Thanks!

Post Reply