nanog mailing list archives
Re: Using snort to detect if your users are doing interesting things?
From: trainier () kalsec com
Date: Thu, 9 Jun 2005 11:36:22 -0400
As it was already noted, you need to be very careful about how you set your IDS up, specifically if you choose snort. Snort is a very powerful tool, when used correctly. Unfortunately, when used incorrectly, it can hose your network over completely. My suggestion, in the case that you'll use snort, is to do some extensive testing on a non-production network. Take the time to learn and understand its functionality and intended purpose. Tim Thor Lancelot Simon <tls () NetBSD ORG> Sent by: owner-nanog () merit edu 06/09/2005 11:33 AM Please respond to tls () rek tjls com To Drew Weaver <drew.weaver () thenap com> cc nanog () merit edu Subject Re: Using snort to detect if your users are doing interesting things? On Thu, Jun 09, 2005 at 11:45:54AM -0400, Drew Weaver wrote:
I'm wondering what is the best way to detect people doing these things on my end. I realize there are methods to protect myself from people attacking from the outside but I'm not real sure how to pinpoint who is really being loud on the inside.
Any IDS ought to be able to do this. The problem will be figuring out where to connect its taps, and how to provide enough capacity at those points to do so without negatively impacting your overall network performance. You should be lauded for doing this. If all providers did it the Internet would be a much, much safer place.
I did have one somewhat silly question.. if you look at the statistics of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps in (pretty much equal in/out) but hardly any bandwidth at all can anyone think of a single application that would mimic that behavior?
VoIP with a low-rate codec, or some quantitatively similar multimedia or gaming application? -- Thor Lancelot Simon tls () rek tjls com "The inconsistency is startling, though admittedly, if consistency is to be abandoned or transcended, there is no problem." - Noam Chomsky
Current thread:
- Using snort to detect if your users are doing interesting things? Drew Weaver (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Thor Lancelot Simon (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? trainier (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Steven M. Bellovin (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Christian Kuhtz (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Randy Bush (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Kim Onnel (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Jeroen Massar (Jun 10)
- Re: Using snort to detect if your users are doing interesting things? trainier (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Thor Lancelot Simon (Jun 09)
- Re: Using snort to detect if your users are doing interesting things? Christian Kuhtz (Jun 09)