Snort mailing list archives
RE: Help with monitoring sending packet rate
From: "Spitzer, Nathan" <Nathan.Spitzer () acs-inc com>
Date: Wed, 15 May 2002 14:36:41 -0400
Monitoring throughput to certain devices is probably better handled through SNMP if thats possible. If you have manageble switchs, you could use MRTG or similar to alert you to high-traffic situations on individual ports. Otherwise, you REALLY need to sniff some of that traffic so you could develop a rule to monitor it. Good as Snort is, its not really setup do throughput analysis. Just out of curiosity, what port and protocol are the packets using and what kind of machines are they attempting to DOS? -----Original Message----- From: Tu Nguyen [mailto:nguyen () ucalgary ca] Sent: Wednesday, May 15, 2002 1:46 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Help with monitoring sending packet rate Hi All: I am having a problem with some rogue machines that spew out packets at a very fast rate. I haven't been able to capture any of these packets but I believe they are identical, some sort of Dos. The Src IPs are spoofed and they vary but their destinations are the same. I would like to have snort alert me when this happens and the only signature I can find to identify the incident is by the sending packet rate. I have been planning to modify spp_portscan to alert me when packet rate from certain station or subnet exceed certain threshold but the code looks daunting. Does anyone know how to monitor such an event? Or I need to reinvent the wheel here. thank you all. Tu Nguyen nguyen () ucalgary ca _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with monitoring sending packet rate Tu Nguyen (May 15)
- <Possible follow-ups>
- RE: Help with monitoring sending packet rate Spitzer, Nathan (May 15)
- RE: Help with monitoring sending packet rate Tu Nguyen (May 15)