[Snort-users] catching traffic spikes

twig les twigles at ...131...
Mon Jan 27 12:44:03 EST 2003


Two things that pop into my head immediately are
Netflow switching (Cisco proprietary and
computationaly very expensive) and Sniffer Pro, very
monetarily expensive but easy to read and
full-featured.

If anyone figures out how to monitor traffic patterns
via snort in a coherent manner please post the
solution, but I don't think snort is the right tool
for this.

--- "W. Salet" <salet at ...8093...> wrote:
> I have the same problem!
> 
> MRTG (Multi Router Traffic Grapher) shows extreme
> incomming traffic spikes.
> Sometimes for two hours! The server slows down and
> is almost unreachable. I
> searched all the /var/log/logfiles &
> /var/log/apache/logfiles but could not
> find anything. So I installed SNORT hoping it could
> trace the source of this
> extreme incomming traffic. I could not find anything
> in the SNORT-logfiles
> which pointed to the extreme traffic spikes. (I am
> using no firewall or
> packetshaper.)
> 
> Any ideas how to trace these traffic spikes?
> 
> 
> ----- Original Message -----
> From: "Fraser Hugh" <hugh_fraser at ...2804...>
> To: <snort-users at lists.sourceforge.net>; "'Richard
> Chmura'"
> <rchmura at ...5839...>
> Sent: Monday, January 27, 2003 6:24 PM
> Subject: RE: [Snort-users] catching traffic spikes
> 
> 
> > You can also use tools like ntop to generate
> protocol and host related
> > statistics in a graphical format, which might in
> turn help trim down the
> > amount of logfile analysis you need to do.
> >
> > > -----Original Message-----
> > > From: Kenneth G. Arnold
> [mailto:bkarnold at ...8060...]
> > > Sent: Sunday, January 26, 2003 9:50 AM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: Re: [Snort-users] catching traffic
> spikes
> > >
> > >
> > > Does this graph represent traffic entering and
> leaving your
> > > network from
> > > the internet?  Does it pass through a firewall? 
> Are you using
> > > Packetshaper?  A firewall can keep very good
> logs of all activity that
> > > passes through it.  Analysis of those logs would
> probably
> > > tell you what
> > > protocol, what source, what destination and what
> ports are
> > > being used. If
> > > you are using packetshaper, the job is much
> easier since it
> > > will tell you
> > > the protocol and the application within that
> protocol that is
> > > being used
> > > very easily.  My guess is that you could
> probably find the information
> > > faster using one of those two means rather than
> trying to use snort to
> > > find it.
> > > Ken
> > >
> > > On Sun, 26 Jan 2003, Richard Chmura wrote:
> > >
> > > > This is totally unrelated to the recent MS-SQL
> worm :-)
> > > >
> > > > I've been trying to figure out the nature of
> the seemingly
> > > random traffic
> > > > spikes on my mrtg graph.  I put some snort
> rules in place
> > > but I was unable
> > > > to filter to figure out more about these
> spikes.
> > > > The graph is at:
> > >
> http://members.rogers.com/rchmura/eth0sar-week.png 
> You
> > > > can see the spikes on the green (IN) and
> blue(OUT) values.
> > > The orange line
> > > > it's just (green / blue)
> > > >
> > > >
> > > >
> > > >
>
-------------------------------------------------------
> > > > This SF.NET email is sponsored by:
> > > > SourceForge Enterprise Edition + IBM +
> LinuxWorld = Something 2 See!
> > > > http://www.vasoftware.com
> > > >
> _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or
> unsubscribe:
> > > >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > >
> > >
> > >
>
-------------------------------------------------------
> > > This SF.NET email is sponsored by:
> > > SourceForge Enterprise Edition + IBM +
> LinuxWorld = Something 2 See!
> > > http://www.vasoftware.com
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or
> unsubscribe:
> > >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> >
> >
>
-------------------------------------------------------
> > This SF.NET email is sponsored by:
> > SourceForge Enterprise Edition + IBM + LinuxWorld
> = Something 2 See!
> > http://www.vasoftware.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> 
> 
>
-------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld =
> Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com




More information about the Snort-users mailing list