NSM is not a new term and its not one credited to the Knoppix-NSM developers. Our first introduction to NSM was through the Intrusion Analsyis Tool "Sguil"and "The Tao Of Network Security Monitoring: Beyond Intrusion Detection". If you want to find out more information about NSM I suggest you check out Richard Bejtlich TAO Security website or book "The Tao Of Network Security Monitoring". More information about sguil can be found on our tools page or the sguil website.
Q.
Why can't I extract transcripts or wireshark logs?
A.
This is due to an time inconsistency between the server and sensor components, where the server is attempting to retrieve information from the capture files during a period that is inconsistent. Since Snort can log in either UTC or the localtime, it is very important to ensure that when components are stored on separate machines that all machines are synchronised together in terms of UTC and timezone (if set).
This can be done by either setting the timezone on all machines to UTC or alternatively to set the timezone on all machines to the same and remove the $UTC variable from the OPTIONS variable in the following init scripts:
/etc/init.d/snortu
/etc/init.d/snortl
Q.
It says it's compiling but it's taking an awfully long time. Has it hung?
A.
To keep the display relatively clutter free majority of the output is piped to the log file. This ensures that everything is captured when troubleshooting. This also may appear that nothing is happening. However, you are able to get a full picture of what is going on by tailing the log file.
We do this extensively during testing to get the full picture of what is happening.
