There's a lot of network monitoring recommendations in other questions, but none are what I'm looking for.
I'm looking for a distro specifically targeted to doing passive network monitoring (either inline or via port mirroring). Ideally it'll come mostly pre-configured with snort/base/ntop/bandwidthd/etc and hopefully some "glue".
I only need network data (bandwidth usage, snort alerting, and such), monitoring the health of items on the network is not the goal.
Any suggestions?
OSSIM has these features and more. It can be a bit difficult to figure out how to manage events, but once you've worked with it for a while it gets more intuitive.
Strata Guard is a great product on the snort side of things and very easy to manage events in, but the free-as-in-beer Lite version is limited to 10Mbps, meaning some activity will not be monitored if the bandwidth exceeds this threshold.
Not a full-blown distro, but OSSEC seems to fit the bill. Personally I'd rather have a tool that builds & works well in $MyFavoriteDistro rather than having to adapt to somebody else's idea of what the OS should look like just so I can use the software.
I'm pretty happy with pfSense (FreeBSD) and in a port mirroring situation would be trivial to implement.
pfSense 1.2.3 has snort/ntop/RRD Graphs/Darkstat graphs/SNMP/nmap ready to use nearly out of the box.
This is designed to be more of an appliance, but a 10 minute install, plus 10 minutes to pick the packages you want to install, and you've got a pretty usable management/monitoring station.
