Following repeated reports of inappropriate intranet port scans, we implemented a vanilla installation of Snort. To be honest, I needed to change out my adult diaper after looking at the raw, unfiltered data.

As some background, we’ve installed Snort on a rather old HP DL180 G1 with 4GB of RAM and a pair of dual core processors. And to be fair, directing the network traffic of 350+ machines at a five year old server may not have been the kindest thing I’ve done in a while, but it did hold the load.

After building rudimentary filters in BASE (Basic Analysis and Security Engine) and analyzing less than 24 hours worth of data, I was able to easily pick out a dozen workstations and a server that needed immediate attention from the IT team. I am looking forward to integrating Snort with iTop for a more complete network management solution, and hopefully I have more to share on this topic soon.