[Snort-users] Help with monitoring sending packet rate

Tu Nguyen nguyen at ...5886...
Wed May 15 13:24:03 EDT 2002


On Wed, 15 May 2002, Spitzer, Nathan wrote:

> 
> Monitoring throughput to certain devices is probably better handled through
> SNMP if thats possible. If you have manageble switchs, you could use MRTG or
> similar to alert you to high-traffic situations on individual
> ports.

 MRTG might or might not do in this case. This kind of events
might not cause a noticeable spike on our Internet link.
Also, I just want to monitor the packet rate as seen from the
Internet link not every switches (we have quite a large number of
them). The fact that this kind of event
can come from any port on campus makes it more challenging
to monitor.
  As spp_portscan is already doing something similar, I figure
I could mug about to get it to count the the "number of any packets
generated by a station or a subnet in a number of second.

# This is a small sample from my argus.log
...
...
15 May 02 00:31:17    tcp  136.159.xx.xxx.3569   -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp  136.159.xx.xxx.62916  -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp   136.159.xx.xxx43700  -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp  136.159.xx.xxx.6455   -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp   136.159.xx.xxx8693   -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp  136.159.xx.xxx.51318  -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp   136.159.xx.xxx27017  -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp  136.159.xx.xxx.25442  -> xx.xx.69.126.21    1        0         74          0 TIM
...
...

Any advise is greaty appreciated.

Tu Nguyen
nguyen at ...5886...



> Otherwise, you REALLY need to sniff some of that traffic so you could
> develop a rule to monitor it. Good as Snort is, its not really setup do
> throughput analysis. Just out of curiosity, what port and protocol are the
> packets using and what kind of machines are they attempting to DOS?
> 
> -----Original Message-----
> From: Tu Nguyen [mailto:nguyen at ...5886...]
> Sent: Wednesday, May 15, 2002 1:46 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Help with monitoring sending packet rate
> 
> 
> 
> Hi All:
>  I am having a problem with some rogue machines that
> spew out packets at a very fast rate. I haven't been able
> to capture any of these packets but I believe they are identical,
> some sort of Dos. The Src IPs are spoofed and they vary but
> their destinations are the same.
>  I would like to have snort alert me when this happens and
> the only signature I can find to identify the incident is by
> the sending packet rate. I have been planning to modify
> spp_portscan to alert me when packet rate from certain station
> or subnet exceed certain threshold but the code looks daunting.
>  Does anyone know how to monitor such an event? Or I need
> to reinvent the wheel here.
> thank you all.
> 
> Tu Nguyen
> nguyen at ...5886...
> 
> 
> 
> _______________________________________________________________
> 
> Have big pipes? SourceForge.net is looking for download mirrors. We supply
> the hardware. You get the recognition. Email Us: bandwidth at ...382...
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list