Snort mailing list archives
RE: catching traffic spikes
From: "O'Flynn, Derek" <DOFlyn () lsuhsc edu>
Date: Mon, 27 Jan 2003 13:46:45 -0600
You could install NTOP as previously suggested. We run NTOP, but also run IPFM. IPFM will show inbound/outbound traffic for predetermined timeframes. You can then check the files to see during that 30 minutes of spikes, who the culprit is. Derek -----Original Message----- From: W. Salet [mailto:salet () wanadoo nl] Sent: Monday, January 27, 2003 1:17 PM To: Fraser Hugh; snort-users () lists sourceforge net; 'Richard Chmura' Subject: Re: [Snort-users] catching traffic spikes I have the same problem! MRTG (Multi Router Traffic Grapher) shows extreme incomming traffic spikes. Sometimes for two hours! The server slows down and is almost unreachable. I searched all the /var/log/logfiles & /var/log/apache/logfiles but could not find anything. So I installed SNORT hoping it could trace the source of this extreme incomming traffic. I could not find anything in the SNORT-logfiles which pointed to the extreme traffic spikes. (I am using no firewall or packetshaper.) Any ideas how to trace these traffic spikes? ----- Original Message ----- From: "Fraser Hugh" <hugh_fraser () dofasco ca> To: <snort-users () lists sourceforge net>; "'Richard Chmura'" <rchmura () rogers com> Sent: Monday, January 27, 2003 6:24 PM Subject: RE: [Snort-users] catching traffic spikes
You can also use tools like ntop to generate protocol and host related statistics in a graphical format, which might in turn help trim down the amount of logfile analysis you need to do.-----Original Message----- From: Kenneth G. Arnold [mailto:bkarnold () cbu edu] Sent: Sunday, January 26, 2003 9:50 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] catching traffic spikes Does this graph represent traffic entering and leaving your network from the internet? Does it pass through a firewall? Are you using Packetshaper? A firewall can keep very good logs of all activity that passes through it. Analysis of those logs would probably tell you what protocol, what source, what destination and what ports are being used. If you are using packetshaper, the job is much easier since it will tell you the protocol and the application within that protocol that is being used very easily. My guess is that you could probably find the information faster using one of those two means rather than trying to use snort to find it. Ken On Sun, 26 Jan 2003, Richard Chmura wrote:This is totally unrelated to the recent MS-SQL worm :-) I've been trying to figure out the nature of the seeminglyrandom trafficspikes on my mrtg graph. I put some snort rules in placebut I was unableto filter to figure out more about these spikes. The graph is at:http://members.rogers.com/rchmura/eth0sar-week.png Youcan see the spikes on the green (IN) and blue(OUT) values.The orange lineit's just (green / blue) ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- catching traffic spikes Richard Chmura (Jan 25)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 26)
- <Possible follow-ups>
- RE: catching traffic spikes Fraser Hugh (Jan 27)
- Re: catching traffic spikes W. Salet (Jan 27)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 27)
- Re: catching traffic spikes twig les (Jan 27)
- Re: catching traffic spikes James-lists (Jan 27)
- Re: catching traffic spikes W. Salet (Jan 27)
- RE: catching traffic spikes O'Flynn, Derek (Jan 27)