Snort mailing list archives

Re: catching traffic spikes

From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Mon, 27 Jan 2003 14:29:46 -0600

If you cause all the traffic to flow through a unix/linux machine, themachine will keep track of the number of tcp,udp and icmp packets passingthrough it but it wouldn't tell you where they are coming from. Thenetstat -s command would show the counters. This might help figure out theprotocol of the spikes.

Ken

At 08:17 PM 1/27/03 +0100, W. Salet wrote:

I have the same problem!

MRTG (Multi Router Traffic Grapher) shows extreme incomming traffic spikes.
Sometimes for two hours! The server slows down and is almost unreachable. I
searched all the /var/log/logfiles & /var/log/apache/logfiles but could not
find anything. So I installed SNORT hoping it could trace the source of this
extreme incomming traffic. I could not find anything in the SNORT-logfiles
which pointed to the extreme traffic spikes. (I am using no firewall or
packetshaper.)

Any ideas how to trace these traffic spikes?


----- Original Message -----
From: "Fraser Hugh" <hugh_fraser () dofasco ca>
To: <snort-users () lists sourceforge net>; "'Richard Chmura'"
<rchmura () rogers com>
Sent: Monday, January 27, 2003 6:24 PM
Subject: RE: [Snort-users] catching traffic spikes


> You can also use tools like ntop to generate protocol and host related
> statistics in a graphical format, which might in turn help trim down the
> amount of logfile analysis you need to do.
>
> > -----Original Message-----
> > From: Kenneth G. Arnold [mailto:bkarnold () cbu edu]
> > Sent: Sunday, January 26, 2003 9:50 AM
> > To: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] catching traffic spikes
> >
> >
> > Does this graph represent traffic entering and leaving your
> > network from
> > the internet?  Does it pass through a firewall?  Are you using
> > Packetshaper?  A firewall can keep very good logs of all activity that
> > passes through it.  Analysis of those logs would probably
> > tell you what
> > protocol, what source, what destination and what ports are
> > being used. If
> > you are using packetshaper, the job is much easier since it
> > will tell you
> > the protocol and the application within that protocol that is
> > being used
> > very easily.  My guess is that you could probably find the information
> > faster using one of those two means rather than trying to use snort to
> > find it.
> > Ken
> >
> > On Sun, 26 Jan 2003, Richard Chmura wrote:
> >
> > > This is totally unrelated to the recent MS-SQL worm :-)
> > >
> > > I've been trying to figure out the nature of the seemingly
> > random traffic
> > > spikes on my mrtg graph.  I put some snort rules in place
> > but I was unable
> > > to filter to figure out more about these spikes.
> > > The graph is at:
> > http://members.rogers.com/rchmura/eth0sar-week.png  You
> > > can see the spikes on the green (IN) and blue(OUT) values.
> > The orange line
> > > it's just (green / blue)
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.NET email is sponsored by:
> > > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> > > http://www.vasoftware.com
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> >
> > -------------------------------------------------------
> > This SF.NET email is sponsored by:
> > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> > http://www.vasoftware.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

catching traffic spikes Richard Chmura (Jan 25)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 26)
- <Possible follow-ups>
- RE: catching traffic spikes Fraser Hugh (Jan 27)
  - Re: catching traffic spikes W. Salet (Jan 27)
    - Re: catching traffic spikes Kenneth G. Arnold (Jan 27)
    - Re: catching traffic spikes twig les (Jan 27)
    - Re: catching traffic spikes James-lists (Jan 27)
- RE: catching traffic spikes O'Flynn, Derek (Jan 27)