[Snort-users] catching traffic spikes

Fraser Hugh hugh_fraser at ...2804...
Mon Jan 27 09:26:03 EST 2003


You can also use tools like ntop to generate protocol and host related
statistics in a graphical format, which might in turn help trim down the
amount of logfile analysis you need to do.

> -----Original Message-----
> From: Kenneth G. Arnold [mailto:bkarnold at ...8060...]
> Sent: Sunday, January 26, 2003 9:50 AM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] catching traffic spikes
> 
> 
> Does this graph represent traffic entering and leaving your 
> network from
> the internet?  Does it pass through a firewall?  Are you using
> Packetshaper?  A firewall can keep very good logs of all activity that
> passes through it.  Analysis of those logs would probably 
> tell you what
> protocol, what source, what destination and what ports are 
> being used. If
> you are using packetshaper, the job is much easier since it 
> will tell you
> the protocol and the application within that protocol that is 
> being used
> very easily.  My guess is that you could probably find the information
> faster using one of those two means rather than trying to use snort to
> find it.
> Ken
> 
> On Sun, 26 Jan 2003, Richard Chmura wrote:
> 
> > This is totally unrelated to the recent MS-SQL worm :-)
> >
> > I've been trying to figure out the nature of the seemingly 
> random traffic
> > spikes on my mrtg graph.  I put some snort rules in place 
> but I was unable
> > to filter to figure out more about these spikes.
> > The graph is at: 
> http://members.rogers.com/rchmura/eth0sar-week.png  You
> > can see the spikes on the green (IN) and blue(OUT) values.  
> The orange line
> > it's just (green / blue)
> >
> >
> >
> > -------------------------------------------------------
> > This SF.NET email is sponsored by:
> > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> > http://www.vasoftware.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list