On Fri, 8 Jan 2016, Kennedy, Jim wrote: > Another option. Port mirror your DNS server and spin up > SecurityOnion. That is what I am using???.port mirroring all my > to/from server traffic to it. That will get you basic IDS, or you can > use the Bro logs.
I definately like Security Onion. It's a beast to learn, but it does get all the tools installed or staged to use for a nice Open Source Network Monitoring System. I would recommend Standalone mode to start and get a copy of Richard Bejtlich's Practice of Network Security Monitoring. They're big fans of Security Onion and even hired the author of SO to work for them. Good stuff!
