Snort mailing list archives
Re: catching traffic spikes
From: "James-lists" <hackerwacker () cybermesa com>
Date: Mon, 27 Jan 2003 14:07:46 -0700
Try some down and dirty rules that just match tcp any, udp any, and icmp any. Once you have classified this as to tcp, udp or icmp work from there to spot what port(s) or type this traffic consists of. Use a real time SNMP grapher like stg (free) so you can spot when the spike starts and then look at your snort logs to see what is happening. I do much the same with Cisco ACL rules but if the traffic is big, logging this off the router can be detrimental. james ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- catching traffic spikes Richard Chmura (Jan 25)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 26)
- <Possible follow-ups>
- RE: catching traffic spikes Fraser Hugh (Jan 27)
- Re: catching traffic spikes W. Salet (Jan 27)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 27)
- Re: catching traffic spikes twig les (Jan 27)
- Re: catching traffic spikes James-lists (Jan 27)
- Re: catching traffic spikes W. Salet (Jan 27)
- RE: catching traffic spikes O'Flynn, Derek (Jan 27)