[Snort-users] catching traffic spikes

Kenneth G. Arnold bkarnold at ...8060...
Sun Jan 26 06:50:06 EST 2003

Does this graph represent traffic entering and leaving your network from
the internet?  Does it pass through a firewall?  Are you using
Packetshaper?  A firewall can keep very good logs of all activity that
passes through it.  Analysis of those logs would probably tell you what
protocol, what source, what destination and what ports are being used. If
you are using packetshaper, the job is much easier since it will tell you
the protocol and the application within that protocol that is being used
very easily.  My guess is that you could probably find the information
faster using one of those two means rather than trying to use snort to
find it.

On Sun, 26 Jan 2003, Richard Chmura wrote:

> This is totally unrelated to the recent MS-SQL worm :-)
> I've been trying to figure out the nature of the seemingly random traffic
> spikes on my mrtg graph.  I put some snort rules in place but I was unable
> to filter to figure out more about these spikes.
> The graph is at: http://members.rogers.com/rchmura/eth0sar-week.png  You
> can see the spikes on the green (IN) and blue(OUT) values.  The orange line
> it's just (green / blue)
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list