In addition to typical log monitoring, network traffic monitoring is essential to identifying threats in your network. In a perfect world, you would know every piece of network traffic that is happening on your network before it even happens. If that was possible, you could easily create rules to identify any traffic that didn't match that rule and simply block and alert on it. This is possible, it just takes a great breadth of knowledge of networking because of all the traffic that happens on the back end that most people do not have to worry about.

If you have ever taken a packet capture anywhere on a network, you would know there is a large amount of network traffic that happens behind the scenes. Seeing the traffic of network protocols like DNS, and DHCP or things like group policy applying isn't traffic most IT administrators care to see, but when it comes to security, we should know exactly where all of this traffic originates from and exactly where the destination of this traffic intends to go. By having a deep understanding of this traffic we should be able to filter out all of the "noise" or expected traffic, and create anomalous rule sets to alert us when new traffic happens on our network. These types of rules are not only beneficial in security settings, but they can assist in preemptively diagnosing problems on a network before a user may be able to report them.

Because Snort is a different animal altogether than your SIEM solution, I'm working on another high-level overview of what you can be capable of doing with Snort and will follow that up with a more technical detailed guide on how to deploy and tweak Snort to get the type of monitoring you will want.