Snort mailing list archives

Session statistics

From: "John Creegan" <jcreegan () questarweb com>
Date: Thu, 21 Aug 2003 08:57:59 -0500

After staying late last night to find out who on my network had been hit
with SoBig, I decided I needed a little bit of network analysis
capability.

I found the offending PC rapidly once I started snort with session
statistics in machine format.  A few greps, slices and sorts later I had
the beginnings of a network usage tool.

I've searched the mail list archives and the snort website looking for
the tool I need, and have not yet found it.  Before I go off and create
this tool, I'd like to know if there already is a tool which can take
advantage of the session.log data to tell me:
     1. Who the top talkers are
     2. Where the hotspots on the network are.

If not, I'm thinking about creating a table in the snort database and
then writing a bit of Perl to populate the table with the session stats.
 I might then either write some php pages to add into ACID or write
stored procedures or even more Perl to do a bit of analysis. 
Ultimately, I'd rather add the capability to ACID.

Anyone know of a way I can do this with existing tools?


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Session statistics John Creegan (Aug 21)
- Re: Session statistics Erek Adams (Aug 21)
  - Re: Session statistics Andrew R. Baker (Aug 22)
- Re: Session statistics Andreas Östling (Aug 22)
  - Prevent ARP attack on NIDS sniffer. Sam Wun (Aug 24)
    - Re: Prevent ARP attack on NIDS sniffer. Edin Dizdarevic (Aug 25)
    - Re: Prevent ARP attack on NIDS sniffer. Erek Adams (Aug 25)
- Re: Session statistics Bamm Visscher (Aug 22)
- <Possible follow-ups>
- Re: Session statistics Richard Bejtlich (Aug 25)