How to store a copy of the organization's traffic?

U

Uncle Seryozha2017-03-28 16:24:06

firewall

Uncle Seryozha, 2017-03-28 16:24:06

I read STO BR IBBS-1.3-2016 , the standard indicates the need to collect network traffic for further analysis in case of incidents.
By what means is it possible to implement this (as I understand the temporary storage of traffic, for example, for a week)?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

mace-ftl, 2017-03-28
@Protos

The old-school method is
1) Mirroring on the switch (maybe from several points, then think about several network ones on the recipient, otherwise there will be drops and oddities on the network at peaks)
2) tcpdump + a couple of simple scripts (a new file should start being written a little earlier than the old one ended so that there were no "drops")
- saving
- deleting the oldest file when more than ...% of the disk is occupied
3) The last additions were - alerts if the last dump file is less\greater than ... megabytes, in order to track the start time some problems

I

Ilya Maltsev, 2017-04-18
@i_maltsev

1. Firewall -> NetFlow -> nfdump + nfsen www.natalink.ru/articles/analiz_statistiki_netflow
...
2. Firewall/switch -> traffic mirroring via SPAN port -> IDS Suricata
https://xakep.ru/ 2015/06/28/suricata-ids-ips-197/