Snort mailing list archives
Re: catching traffic spikes
From: twig les <twigles () yahoo com>
Date: Mon, 27 Jan 2003 12:43:15 -0800 (PST)
Two things that pop into my head immediately are Netflow switching (Cisco proprietary and computationaly very expensive) and Sniffer Pro, very monetarily expensive but easy to read and full-featured. If anyone figures out how to monitor traffic patterns via snort in a coherent manner please post the solution, but I don't think snort is the right tool for this. --- "W. Salet" <salet () wanadoo nl> wrote:
I have the same problem! MRTG (Multi Router Traffic Grapher) shows extreme incomming traffic spikes. Sometimes for two hours! The server slows down and is almost unreachable. I searched all the /var/log/logfiles & /var/log/apache/logfiles but could not find anything. So I installed SNORT hoping it could trace the source of this extreme incomming traffic. I could not find anything in the SNORT-logfiles which pointed to the extreme traffic spikes. (I am using no firewall or packetshaper.) Any ideas how to trace these traffic spikes? ----- Original Message ----- From: "Fraser Hugh" <hugh_fraser () dofasco ca> To: <snort-users () lists sourceforge net>; "'Richard Chmura'" <rchmura () rogers com> Sent: Monday, January 27, 2003 6:24 PM Subject: RE: [Snort-users] catching traffic spikesYou can also use tools like ntop to generateprotocol and host relatedstatistics in a graphical format, which might inturn help trim down theamount of logfile analysis you need to do.-----Original Message----- From: Kenneth G. Arnold[mailto:bkarnold () cbu edu]Sent: Sunday, January 26, 2003 9:50 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] catching trafficspikesDoes this graph represent traffic entering andleaving yournetwork from the internet? Does it pass through a firewall?Are you usingPacketshaper? A firewall can keep very goodlogs of all activity thatpasses through it. Analysis of those logs wouldprobablytell you what protocol, what source, what destination and whatports arebeing used. If you are using packetshaper, the job is mucheasier since itwill tell you the protocol and the application within thatprotocol that isbeing used very easily. My guess is that you couldprobably find the informationfaster using one of those two means rather thantrying to use snort tofind it. Ken On Sun, 26 Jan 2003, Richard Chmura wrote:This is totally unrelated to the recent MS-SQLworm :-)I've been trying to figure out the nature ofthe seeminglyrandom trafficspikes on my mrtg graph. I put some snortrules in placebut I was unableto filter to figure out more about thesespikes.The graph is at:http://members.rogers.com/rchmura/eth0sar-week.png Youcan see the spikes on the green (IN) andblue(OUT) values.The orange lineit's just (green / blue)
-------------------------------------------------------
This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM +LinuxWorld = Something 2 See!http://www.vasoftware.com_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM +LinuxWorld = Something 2 See!http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld= Something 2 See!http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- catching traffic spikes Richard Chmura (Jan 25)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 26)
- <Possible follow-ups>
- RE: catching traffic spikes Fraser Hugh (Jan 27)
- Re: catching traffic spikes W. Salet (Jan 27)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 27)
- Re: catching traffic spikes twig les (Jan 27)
- Re: catching traffic spikes James-lists (Jan 27)
- Re: catching traffic spikes W. Salet (Jan 27)
- RE: catching traffic spikes O'Flynn, Derek (Jan 27)