In either the commercial or open source flavor, Snort is a very complete intrusion detection system that watches and catalogs network traffic, matching that traffic against predefined rules to monitor network segments for nefarious activity. In fact, it can do much more, since rules can be written to flag traffic that matches any criteria. If you want to check all IM traffic exiting the network that matches a specific internal product code name, that's certainly possible, right along with standard rules that watch for port scans, virus activity, and so forth.

When coupled with the BASE (Basic Analysis and Security Engine) Web GUI, Snort becomes an even more powerful tool. When Snort is configured to log to MySQL, BASE can pull reports on alarm triggers and display traffic anomalies based on source or destination IP address, TCP or UDP port number, and alert type. In addition, if you have multiple Snort sensors in various places on the network, they can all log to the same database, and BASE can produce reports incorporating any or all of those sensors.

The best part is that a Snort sensor doesn't have to be anything special. In most networks, it can easily be built on a low-end desktop- or server-class system, depending on traffic levels. The basic rule sets are available for free from Sourcefire with registration, and rules updates are easily managed. And if you want to go with a supported solution, you can buy the official commercial counterpart from Sourcefire. In either case, Snort can quickly become an invaluable addition to any network.

Do-it-yourself
Too often, IT administrators think that they can't color outside the lines. Whether it's a custom application or an "unsupported" piece of hardware, there are many of us who believe that if a monitoring tool can't handle it immediately, it can't be handled. That's simply not the case, and with a little bit of elbow grease, just about anything can be monitored, cataloged, and made more visible.

An example might be a custom application with a database back end, like a Web store or an internal finance application. Management wants to see pretty graphs and charts depicting usage data in some form or another. If you're using something like Cacti already, there are several ways to bring this data into the fold, such as constructing a simple Perl or PHP script to run queries on the database and pass counts back to Cacti, or even an SNMP call to the database server using private MIBs (management information bases). It can be done, and it can generally be done easily.