Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Free/inexpensive tools for monitoring systems/networks - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Free/inexpensive tools for monitoring systems/networks

Tom wrote in to the handlers list today and asked a question that I think our readers can help with (especially since we've gotten so many great ideas from the diary asking for suggestions for Cyber Security Month).  He is looking for tools to allow for more proactive monitoring of his systems, but given shrinking budgets (he works in government, but the situation isn't much better anywhere else), he's looking for something free or, at least, inexpensive. What are you using to monitor patch status? application versions? A/V? behavior? strange files? network devices? anything else?  Is it centrally managed?  Does it scale?

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org
FOR408 Computer Forensics Essentials coming to central OH in Sept, see http://www.sans.org/mentor/details.php?nid=22353

Jim

399 Posts
ISC Handler
Secunia PSI for patch status/app versions. Every PC user needs that! Strange files and network devices? Don't have one to do that, but would like to be able to.
Gilbert

21 Posts Posts
RANCID for network switch configuration changes, Nagios for uptime, NMAP and Nessus for patch and application versions...
oleksiy

34 Posts Posts
Helix for your Forensics lab;
ngrep for your network forensics;
syslog-ng for your log aggregation;
tcpdump and tshark with some cron kungfu are you friends for capture;
IPTABLES/NETFILTER for your firewalling;
and last but NOT least snort for your IDS.
Anonymous
Posts
I miss Big Brother... at least the Big Brother before it was bought by Quest.
John

245 Posts Posts
ISC Handler
Just a quick note: Backtrack 4 R1 was just released to the public for immediate download in ISO and VM editions.
Anonymous
Posts
ZenOSS is decent, it can do network discovery(find those unknown devices), show some application versions on Windows(via WMI). OSSEC for strange files.
e.b.

16 Posts Posts
Try NetWitness Investigator freeware, great for network forensics and you could build some parsers to detect OS, Browser versions and application types etc.
Anonymous
Posts
We have a network of about 14k users, and we have implemented Zabbix for availability monitoring for our security gear. It has a bit of a learning curve but it has worked really well for Windows, Linux and network infrastructure. It's open-source and extremely configurable.
Anonymous
Posts
I use Spiceworks for general system monitoring.
Very comprehensive set of tools to deal with network and system monitoring.
Anonymous
Posts
Shell scripts running hourly to test ping, SSH login (ssh and client-side key), DNS (dig), SSL certificate validity (openssl s_client), free disk space, CPU load average and much more. When you have lots of tests in place, you often identify issues that you didn't set up an explicit test for.

For SMTP, an hourly email is sent from a remote site, and 5 minutes later I test to ensure it was received, and also that it hasn't hit any new SpamAssassin tests (which has often identified DNS or configuration issues at either end).

For something more flexible I've been moving most tests to 'mon', but some (such as ping and HTTP) are even better done from 'SmokePing', giving historical RRD graphs of reliability and performance.
Steven C.

171 Posts Posts
Cacti for historical stats.
Superscan, Nmap, Backtrack.
Solarwinds also has some good free tools - although newer versions more bloated and full of ads
Anonymous
Posts
Used to use OpenNMS but now we use Zenoss to monitor services, diskspace and Windows Events logs via WMI.
Anonymous
Posts
FireGen for firewall reporting is pretty inexpensive (about $200) and has worked well for us.
Anonymous
Posts
- Backtrack 4 for Investigation/Assessments
- Nessus and Metasploit
- DVL for continued education
- Smokeping for uptime/graph stats
- Open Systems Wireless Auditor Assistant for Wireless, Bluetooth, RFID testing.
- Various (too many to list) scripts for specific tests.
HackDefendr

65 Posts Posts
I regularly see Secunia PSI recommended and it is a great tool but it should be remembered that the 'P' stands for Personal and use in a commercial environment is strictly prohibited. Unfortunately, this is not obvious from the Web site so, unless people read the EULA when they install it, they often do not realise.

Secunia do have a network version for business users but that is not free.
patermann

35 Posts Posts
Concur with Gilbert. Secunia PSI and absolute must. Use the advanced tab...you'll be shocked at what you find and what needs to be fixed.
Anonymous
Posts
I also use spiceworks as it provides fairly detailed information about systems on your network.

for Windows security updates WSUS is free from MS if you can deploy it.
PW

62 Posts Posts
Spiceworks. Used now for two years as detail asset tool and doubles as a lite security monitor (a/v status & naughty app installs). WSUS, as well (but not in love (or even in like) w/ it)
Anonymous
Posts
OSSEC HIDS (now owned by Trend Micro). It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response on Linux and Windows platforms.

Nagios for network monitoring/management.
Anonymous
Posts
We should all remember that free tools may only be free for home/single PC users.

I would suggest making sure that all of the tools which have been paid for are being used to their limits. There is no sense installing and configuring a tool for some type of management X when that management already exists in something you have paid for.
Peter

2 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!