[Snort-users] catching traffic spikes

Kenneth G. Arnold bkarnold at ...8060...
Mon Jan 27 12:30:10 EST 2003


If you cause all the traffic to flow through a unix/linux machine, the 
machine will keep track of the number of tcp,udp and icmp packets passing 
through it but it wouldn't tell you where they are coming from.  The 
netstat -s command would show the counters.  This might help figure out the 
protocol of the spikes.
Ken

At 08:17 PM 1/27/03 +0100, W. Salet wrote:
>I have the same problem!
>
>MRTG (Multi Router Traffic Grapher) shows extreme incomming traffic spikes.
>Sometimes for two hours! The server slows down and is almost unreachable. I
>searched all the /var/log/logfiles & /var/log/apache/logfiles but could not
>find anything. So I installed SNORT hoping it could trace the source of this
>extreme incomming traffic. I could not find anything in the SNORT-logfiles
>which pointed to the extreme traffic spikes. (I am using no firewall or
>packetshaper.)
>
>Any ideas how to trace these traffic spikes?
>
>
>----- Original Message -----
>From: "Fraser Hugh" <hugh_fraser at ...2804...>
>To: <snort-users at lists.sourceforge.net>; "'Richard Chmura'"
><rchmura at ...5839...>
>Sent: Monday, January 27, 2003 6:24 PM
>Subject: RE: [Snort-users] catching traffic spikes
>
>
> > You can also use tools like ntop to generate protocol and host related
> > statistics in a graphical format, which might in turn help trim down the
> > amount of logfile analysis you need to do.
> >
> > > -----Original Message-----
> > > From: Kenneth G. Arnold [mailto:bkarnold at ...8060...]
> > > Sent: Sunday, January 26, 2003 9:50 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: Re: [Snort-users] catching traffic spikes
> > >
> > >
> > > Does this graph represent traffic entering and leaving your
> > > network from
> > > the internet?  Does it pass through a firewall?  Are you using
> > > Packetshaper?  A firewall can keep very good logs of all activity that
> > > passes through it.  Analysis of those logs would probably
> > > tell you what
> > > protocol, what source, what destination and what ports are
> > > being used. If
> > > you are using packetshaper, the job is much easier since it
> > > will tell you
> > > the protocol and the application within that protocol that is
> > > being used
> > > very easily.  My guess is that you could probably find the information
> > > faster using one of those two means rather than trying to use snort to
> > > find it.
> > > Ken
> > >
> > > On Sun, 26 Jan 2003, Richard Chmura wrote:
> > >
> > > > This is totally unrelated to the recent MS-SQL worm :-)
> > > >
> > > > I've been trying to figure out the nature of the seemingly
> > > random traffic
> > > > spikes on my mrtg graph.  I put some snort rules in place
> > > but I was unable
> > > > to filter to figure out more about these spikes.
> > > > The graph is at:
> > > http://members.rogers.com/rchmura/eth0sar-week.png  You
> > > > can see the spikes on the green (IN) and blue(OUT) values.
> > > The orange line
> > > > it's just (green / blue)
> > > >
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > This SF.NET email is sponsored by:
> > > > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> > > > http://www.vasoftware.com
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.NET email is sponsored by:
> > > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> > > http://www.vasoftware.com
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> >
> > -------------------------------------------------------
> > This SF.NET email is sponsored by:
> > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> > http://www.vasoftware.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by:
>SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>http://www.vasoftware.com
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list