Snort mailing list archives
Re: catching traffic spikes
From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Sun, 26 Jan 2003 08:49:47 -0600 (CST)
Does this graph represent traffic entering and leaving your network from the internet? Does it pass through a firewall? Are you using Packetshaper? A firewall can keep very good logs of all activity that passes through it. Analysis of those logs would probably tell you what protocol, what source, what destination and what ports are being used. If you are using packetshaper, the job is much easier since it will tell you the protocol and the application within that protocol that is being used very easily. My guess is that you could probably find the information faster using one of those two means rather than trying to use snort to find it. Ken On Sun, 26 Jan 2003, Richard Chmura wrote:
This is totally unrelated to the recent MS-SQL worm :-) I've been trying to figure out the nature of the seemingly random traffic spikes on my mrtg graph. I put some snort rules in place but I was unable to filter to figure out more about these spikes. The graph is at: http://members.rogers.com/rchmura/eth0sar-week.png You can see the spikes on the green (IN) and blue(OUT) values. The orange line it's just (green / blue) ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- catching traffic spikes Richard Chmura (Jan 25)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 26)
- <Possible follow-ups>
- RE: catching traffic spikes Fraser Hugh (Jan 27)
- Re: catching traffic spikes W. Salet (Jan 27)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 27)
- Re: catching traffic spikes twig les (Jan 27)
- Re: catching traffic spikes James-lists (Jan 27)
- Re: catching traffic spikes W. Salet (Jan 27)
- RE: catching traffic spikes O'Flynn, Derek (Jan 27)