[Snort-users] catching traffic spikes

James-lists hackerwacker at ...3784...
Mon Jan 27 13:08:08 EST 2003


Try some down and dirty rules that just match tcp any, udp any, and icmp any. 
Once you have classified this as to tcp, udp or icmp work from there to spot
what port(s) or type this traffic consists of.  Use a real time SNMP grapher
like stg (free) so you can spot when the spike starts and then look at your snort
logs to see what is happening. 

I do much the same with Cisco ACL rules but if the traffic is big, logging this
off the router can be detrimental.  

james




More information about the Snort-users mailing list