Snort mailing list archives
Re: catching traffic spikes
From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Mon, 27 Jan 2003 14:29:46 -0600
If you cause all the traffic to flow through a unix/linux machine, the machine will keep track of the number of tcp,udp and icmp packets passing through it but it wouldn't tell you where they are coming from. The netstat -s command would show the counters. This might help figure out the protocol of the spikes.
Ken At 08:17 PM 1/27/03 +0100, W. Salet wrote:
I have the same problem! MRTG (Multi Router Traffic Grapher) shows extreme incomming traffic spikes. Sometimes for two hours! The server slows down and is almost unreachable. I searched all the /var/log/logfiles & /var/log/apache/logfiles but could not find anything. So I installed SNORT hoping it could trace the source of this extreme incomming traffic. I could not find anything in the SNORT-logfiles which pointed to the extreme traffic spikes. (I am using no firewall or packetshaper.) Any ideas how to trace these traffic spikes? ----- Original Message ----- From: "Fraser Hugh" <hugh_fraser () dofasco ca> To: <snort-users () lists sourceforge net>; "'Richard Chmura'" <rchmura () rogers com> Sent: Monday, January 27, 2003 6:24 PM Subject: RE: [Snort-users] catching traffic spikes > You can also use tools like ntop to generate protocol and host related > statistics in a graphical format, which might in turn help trim down the > amount of logfile analysis you need to do. > > > -----Original Message----- > > From: Kenneth G. Arnold [mailto:bkarnold () cbu edu] > > Sent: Sunday, January 26, 2003 9:50 AM > > To: snort-users () lists sourceforge net > > Subject: Re: [Snort-users] catching traffic spikes > > > > > > Does this graph represent traffic entering and leaving your > > network from > > the internet? Does it pass through a firewall? Are you using > > Packetshaper? A firewall can keep very good logs of all activity that > > passes through it. Analysis of those logs would probably > > tell you what > > protocol, what source, what destination and what ports are > > being used. If > > you are using packetshaper, the job is much easier since it > > will tell you > > the protocol and the application within that protocol that is > > being used > > very easily. My guess is that you could probably find the information > > faster using one of those two means rather than trying to use snort to > > find it. > > Ken > > > > On Sun, 26 Jan 2003, Richard Chmura wrote: > > > > > This is totally unrelated to the recent MS-SQL worm :-) > > > > > > I've been trying to figure out the nature of the seemingly > > random traffic > > > spikes on my mrtg graph. I put some snort rules in place > > but I was unable > > > to filter to figure out more about these spikes. > > > The graph is at: > > http://members.rogers.com/rchmura/eth0sar-week.png You > > > can see the spikes on the green (IN) and blue(OUT) values. > > The orange line > > > it's just (green / blue) > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.NET email is sponsored by: > > > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! > > > http://www.vasoftware.com > > > _______________________________________________ > > > Snort-users mailing list > > > Snort-users () lists sourceforge net > > > Go to this URL to change user options or unsubscribe: > > > https://lists.sourceforge.net/lists/listinfo/snort-users > > > Snort-users list archive: > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > > > > > > ------------------------------------------------------- > > This SF.NET email is sponsored by: > > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! > > http://www.vasoftware.com > > _______________________________________________ > > Snort-users mailing list > > Snort-users () lists sourceforge net > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/listinfo/snort-users > > Snort-users list archive: > > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! > http://www.vasoftware.com > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users > ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- catching traffic spikes Richard Chmura (Jan 25)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 26)
- <Possible follow-ups>
- RE: catching traffic spikes Fraser Hugh (Jan 27)
- Re: catching traffic spikes W. Salet (Jan 27)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 27)
- Re: catching traffic spikes twig les (Jan 27)
- Re: catching traffic spikes James-lists (Jan 27)
- Re: catching traffic spikes W. Salet (Jan 27)
- RE: catching traffic spikes O'Flynn, Derek (Jan 27)