My next class:

Free/inexpensive tools for monitoring systems/networks

Published: 2010-08-09. Last Updated: 2010-08-09 23:04:49 UTC
by Jim Clausing (Version: 1)
40 comment(s)

Tom wrote in to the handlers list today and asked a question that I think our readers can help with (especially since we've gotten so many great ideas from the diary asking for suggestions for Cyber Security Month).  He is looking for tools to allow for more proactive monitoring of his systems, but given shrinking budgets (he works in government, but the situation isn't much better anywhere else), he's looking for something free or, at least, inexpensive. What are you using to monitor patch status? application versions? A/V? behavior? strange files? network devices? anything else?  Is it centrally managed?  Does it scale?

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org
FOR408 Computer Forensics Essentials coming to central OH in Sept, see http://www.sans.org/mentor/details.php?nid=22353

40 comment(s)
My next class:

Comments

Secunia PSI for patch status/app versions. Every PC user needs that! Strange files and network devices? Don't have one to do that, but would like to be able to.
RANCID for network switch configuration changes, Nagios for uptime, NMAP and Nessus for patch and application versions...
Helix for your Forensics lab;
ngrep for your network forensics;
syslog-ng for your log aggregation;
tcpdump and tshark with some cron kungfu are you friends for capture;
IPTABLES/NETFILTER for your firewalling;
and last but NOT least snort for your IDS.
I miss Big Brother... at least the Big Brother before it was bought by Quest.
Just a quick note: Backtrack 4 R1 was just released to the public for immediate download in ISO and VM editions.
ZenOSS is decent, it can do network discovery(find those unknown devices), show some application versions on Windows(via WMI). OSSEC for strange files.
Try NetWitness Investigator freeware, great for network forensics and you could build some parsers to detect OS, Browser versions and application types etc.
We have a network of about 14k users, and we have implemented Zabbix for availability monitoring for our security gear. It has a bit of a learning curve but it has worked really well for Windows, Linux and network infrastructure. It's open-source and extremely configurable.
I use Spiceworks for general system monitoring.
Very comprehensive set of tools to deal with network and system monitoring.
Shell scripts running hourly to test ping, SSH login (ssh and client-side key), DNS (dig), SSL certificate validity (openssl s_client), free disk space, CPU load average and much more. When you have lots of tests in place, you often identify issues that you didn't set up an explicit test for.

For SMTP, an hourly email is sent from a remote site, and 5 minutes later I test to ensure it was received, and also that it hasn't hit any new SpamAssassin tests (which has often identified DNS or configuration issues at either end).

For something more flexible I've been moving most tests to 'mon', but some (such as ping and HTTP) are even better done from 'SmokePing', giving historical RRD graphs of reliability and performance.

Diary Archives