[Snort-users] Bandwidth Information

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Wed May 29 12:09:02 EDT 2002

Actually, along those lines, there is a very easy way to it... (Erek not
crack head).

If you have more patience... Set up RRDTool to monitor the front and back
sides... And use RRDs math to calculate the difference.  I think it's
possible to do this with MRTG, but have never tried.  I KNOW it's possible
with RRD, because we currently create those types of graphs.   Of course, it
doesn't actually tell us how much traffic were actual attacks that snort
alerted... But just knowing how much data our firewalls block is a better
indicator of what you call 'wasted' bandwidth.

-----Original Message-----
From: Erek Adams [mailto:erek at ...577...] 
Sent: Wednesday, May 29, 2002 1:22 PM
To: Cooper Arthur B Contr WCOM
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Bandwidth Information

On Wed, 29 May 2002, Cooper Arthur B Contr WCOM wrote:

> 	Does anyone know of an "add-on" or PERL script that can do some 
> "ciphering" for me and tell me what percentage of my bandwidth is 
> generating alerts with SNORT?  I have a snort server set-up on a 
> SPANNED 100 MBS/Full-Duplex port that feeds the internal LAN of a 
> large US Military installation.  I absolutely LOVE SNORT, but now that 
> I see all of the crazy stuff being thrown at us via the Net, I was 
> wondering if there was a way to show what percentage of our bandwidth 
> is literally being wasted by the amount of cmd.exe, code red, SQL Worm 
> 1433 stuff etc. etc. that is coming in here and "banging" my 
> firewalls.  THANKS!!

Well, the first thing that comes to mind is to use MRTG on your router and
firewall.  Using that, measure the amount of incoming traffic from the
router. Then measure the amount of traffic that "leaves" your firewall--If
it goes thru your firewall, it should be legitimate traffic, right?
Subtract number one from number two, and you should have a rough idea of how
much 'wasted' bandwith you have.

But of course, I haven't had my coffee yet--So I could be entirely
crackheaded.  :)


Erek Adams


Don't miss the 2002 Sprint PCS Application Developer's Conference August
25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list