Re: catching traffic spikes

[twig les <twigles () yahoo com>]

Two things that pop into my head immediately are
Netflow switching (Cisco proprietary and
computationaly very expensive) and Sniffer Pro, very
monetarily expensive but easy to read and
full-featured.

If anyone figures out how to monitor traffic patterns
via snort in a coherent manner please post the
solution, but I don't think snort is the right tool
for this.

--- "W. Salet" <salet () wanadoo nl> wrote:
> I have the same problem!
>
> MRTG (Multi Router Traffic Grapher) shows extreme
> incomming traffic spikes.
> Sometimes for two hours! The server slows down and
> is almost unreachable. I
> searched all the /var/log/logfiles &
> /var/log/apache/logfiles but could not
> find anything. So I installed SNORT hoping it could
> trace the source of this
> extreme incomming traffic. I could not find anything
> in the SNORT-logfiles
> which pointed to the extreme traffic spikes. (I am
> using no firewall or
> packetshaper.)
>
> Any ideas how to trace these traffic spikes?
>
>
> ----- Original Message -----
> From: "Fraser Hugh" <hugh_fraser () dofasco ca>
> To: <snort-users () lists sourceforge net>; "'Richard
> Chmura'"
> <rchmura () rogers com>
> Sent: Monday, January 27, 2003 6:24 PM
> Subject: RE: [Snort-users] catching traffic spikes
>
>
> > You can also use tools like ntop to generate
> protocol and host related
> > statistics in a graphical format, which might in
> turn help trim down the
> > amount of logfile analysis you need to do.
> >
> > > -----Original Message-----
> > > From: Kenneth G. Arnold
> [mailto:bkarnold () cbu edu]
> > > Sent: Sunday, January 26, 2003 9:50 AM
> > > To: snort-users () lists sourceforge net
> > > Subject: Re: [Snort-users] catching traffic
> spikes
> > > Does this graph represent traffic entering and
> leaving your
> > > network from
> > > the internet?  Does it pass through a firewall? 
> Are you using
> > > Packetshaper?  A firewall can keep very good
> logs of all activity that
> > > passes through it.  Analysis of those logs would
> probably
> > > tell you what
> > > protocol, what source, what destination and what
> ports are
> > > being used. If
> > > you are using packetshaper, the job is much
> easier since it
> > > will tell you
> > > the protocol and the application within that
> protocol that is
> > > being used
> > > very easily.  My guess is that you could
> probably find the information
> > > faster using one of those two means rather than
> trying to use snort to
> > > find it.
> > > Ken
> > >
> > > On Sun, 26 Jan 2003, Richard Chmura wrote:
> > >
> > > > This is totally unrelated to the recent MS-SQL
> worm :-)
> > > > I've been trying to figure out the nature of
> the seemingly
> > > random traffic
> > > > spikes on my mrtg graph.  I put some snort
> rules in place
> > > but I was unable
> > > > to filter to figure out more about these
> spikes.
> > > > The graph is at:
> http://members.rogers.com/rchmura/eth0sar-week.png 
> You
> > > > can see the spikes on the green (IN) and
> blue(OUT) values.
> > > The orange line
> > > > it's just (green / blue)
-------------------------------------------------------
> > > > This SF.NET email is sponsored by:
> > > > SourceForge Enterprise Edition + IBM +
> LinuxWorld = Something 2 See!
> > > > http://www.vasoftware.com
> _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or
> unsubscribe:
> > > >
https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
-------------------------------------------------------
> > > This SF.NET email is sponsored by:
> > > SourceForge Enterprise Edition + IBM +
> LinuxWorld = Something 2 See!
> > > http://www.vasoftware.com
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or
> unsubscribe:
> > >
https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
-------------------------------------------------------
> > This SF.NET email is sponsored by:
> > SourceForge Enterprise Edition + IBM + LinuxWorld
> = Something 2 See!
> > http://www.vasoftware.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or
> unsubscribe:
> >
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
-------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld =
> Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users