Realtime network analyser
 

Hello!

I am using a dl380 SLES11sp1 as a central router and firewall for my network ( >300Pc`s, 120 Printer, >50 Servers).

Everything working fine so far but now i would like to add a real-time network analyser. Tought about astaro but was to expensive, looked at untagle but i do not want to set up the whole mashine from the scratch.

Isn`t there a way to add a filter to sles11 ?

I do not want a http scanner or http proxy, we already have that. I really want to analyse the traffic between my vlans on my central router/firewall.

Any idea ?

Have you thought about using Wireshark? That has some quite complex filtering ability in there and has the advantage of being able to capture files and export to other programs, quite on VoIP as well.

MarkyD

From my experience, the size of your network and the amount of traffic might kill Wireshark depending on your network topology. Are you attempting to monitor everything from that one central router( I saw vlans, but are you watching EVERYTHING?)? if thats the case, you will need pretty decent hardware.

What are you attempting to monitor? Ntop might do the job? http://www.ntop.org/products/ntop/

Have you looked at some of the commerical solutions available from Riverbed? http://www.riverbed.com/products-sol...ment-products/

Ok, my fault, i would like to have a Intrusion-Detection like a sniffer but not like snort, as i have not enough time to configure that kind of thing.

Would like to have a software that analyses the network traffic and tells iptables to drop a session if it is doing something like trying password or transfer a virus.

Any idea ?

You would need something like an IPS (Snort can do this) or intrusion prevention system and/or a proxy.

There are probably security appliances out there that will do what you want with little intervention, but I think your intentions while good are a bit misplaced. Having a system that does what you would like requires an understanding of these types of systems and requires dedication (your time and management's support). This isn't a plug it in and forget type security mechanism if you want to do it right.

Yes, i agree with you.

I just tought there would be some kind of Network-Traffic-Analyser which would not need to be configured from a-z ( as snort does ) but can block traffic known as "bad" such as viruses or logon tests or ssh brute-force and so on.

As I mentioned I tried SNORT but without the resources an implemantation of such a system does not make sense just as you said.