Snort mailing list archives
Re: not detecting common intrusion
From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 27 Jun 2002 00:46:17 -0700 (PDT)
On Wed, 26 Jun 2002, Cearns Angela wrote:
Thank you Erek:
No problem. :)
I'm indeed pouring thru the doc at the snort website.
Dandy! That'll really come in handy as you work with snort. I personally like to keep a printed PDF bound and ready for quick reference near the desk.
Erek, I'm a student at the University of Colorado doing research on DDOS and various mitigation methods. I'm currently building a testbed to simulate DDoS attack and trying to find out a better way to respond to the attack. One area of my research focus is rate limiting. Can I ask you and the mailing list participants for some personal advice?
Uh, oh... We're in for it now! :)
Would it be useful to add a X processor to snort to do a bandwidth consumption type of detection? Or is there a much easier way to detect "bandwidth usage beyond a certain threshold" that it's really not worth it to add it to snort?
Useful? Depends on how you view things and your environment. If all you want is bandwidth tracking MTRG would work fairly well. You could also use something like ntop.
What about adding a rate limiting capability to snort thru X processor as an "action" to the detection of "bandwidth overuse"? Will this be a useful feature or is it just easier for people to configrue rate limiting through iptables?
This kind of borders on the 'auto-blocking' discussion that pops up every so often. Rate shaping/limiting in this way falls into the 'automated response' category. I won't bore you with my thoughts on that, but hit the archives if you're bored enough to read it.[0] Anyway... I think that if you can you should limit your traffic at the router or switch that is directly upstream from you. If that isn't possible, limiting on the firewall would be the next 'good' choice. But as always, YMMV. Things will always be different in different setups.
Erek, I don't mean to bombard you with questions but I've been pounding my head for weeks. Thank you so much for your help.
heh... We've all been there. It'll get better... And if it doesn't, we'll start handing out lashes. :) Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net [0] http://marc.theaimsgroup.com/ ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-mysql installation - not logging Cearns Angela (Jun 25)
- <Possible follow-ups>
- Re: snort-mysql installation - not logging Roman Danyliw (Jun 26)
- not detecting common intrusion Cearns Angela (Jun 26)
- Re: not detecting common intrusion Erek Adams (Jun 26)
- Re: not detecting common intrusion Cearns Angela (Jun 26)
- Re: not detecting common intrusion Erek Adams (Jun 26)
- Re: not detecting common intrusion Cearns Angela (Jun 26)
- Re: not detecting common intrusion Erek Adams (Jun 27)
- Re: not detecting common intrusion Jeff Nathan (Jun 27)
- not detecting common intrusion Cearns Angela (Jun 26)