Re: Using snort to detect if your users are doing interesting things?

[Thor Lancelot Simon <tls () NetBSD ORG>]

On Thu, Jun 09, 2005 at 11:45:54AM -0400, Drew Weaver wrote:
> I'm wondering what is the best way to detect people doing these things
> on my end. I realize there are methods to protect myself from people
> attacking from the outside but I'm not real sure how to pinpoint who is
> really being loud on the inside.

Any IDS ought to be able to do this.  The problem will be figuring out
where to connect its taps, and how to provide enough capacity at those
points to do so without negatively impacting your overall network
performance.

You should be lauded for doing this.  If all providers did it the
Internet would be a much, much safer place.

> I did have one somewhat silly question.. if you look at the statistics
> of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps
> in (pretty much equal in/out) but hardly any bandwidth at all can anyone
> think of a single application that would mimic that behavior?

VoIP with a low-rate codec, or some quantitatively similar multimedia
or gaming application?

-- 
 Thor Lancelot Simon                                          tls () rek tjls com

"The inconsistency is startling, though admittedly, if consistency is to be
 abandoned or transcended, there is no problem."                - Noam Chomsky