RE: Help with monitoring sending packet rate

[Tu Nguyen <nguyen () ucalgary ca>]

On Wed, 15 May 2002, Spitzer, Nathan wrote:

> Monitoring throughput to certain devices is probably better handled through
> SNMP if thats possible. If you have manageble switchs, you could use MRTG or
> similar to alert you to high-traffic situations on individual
> ports.

 MRTG might or might not do in this case. This kind of events
might not cause a noticeable spike on our Internet link.
Also, I just want to monitor the packet rate as seen from the
Internet link not every switches (we have quite a large number of
them). The fact that this kind of event
can come from any port on campus makes it more challenging
to monitor.
  As spp_portscan is already doing something similar, I figure
I could mug about to get it to count the the "number of any packets
generated by a station or a subnet in a number of second.

# This is a small sample from my argus.log
...
...
15 May 02 00:31:17    tcp  136.159.xx.xxx.3569   -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp  136.159.xx.xxx.62916  -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp   136.159.xx.xxx43700  -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp  136.159.xx.xxx.6455   -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp   136.159.xx.xxx8693   -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp  136.159.xx.xxx.51318  -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp   136.159.xx.xxx27017  -> xx.xx.69.126.21    1        0         74          0 TIM
15 May 02 00:31:17    tcp  136.159.xx.xxx.25442  -> xx.xx.69.126.21    1        0         74          0 TIM
...
...

Any advise is greaty appreciated.

Tu Nguyen
nguyen () ucalgary ca



> Otherwise, you REALLY need to sniff some of that traffic so you could
> develop a rule to monitor it. Good as Snort is, its not really setup do
> throughput analysis. Just out of curiosity, what port and protocol are the
> packets using and what kind of machines are they attempting to DOS?
>
> -----Original Message-----
> From: Tu Nguyen [mailto:nguyen () ucalgary ca]
> Sent: Wednesday, May 15, 2002 1:46 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Help with monitoring sending packet rate
>
>
>
> Hi All:
>  I am having a problem with some rogue machines that
> spew out packets at a very fast rate. I haven't been able
> to capture any of these packets but I believe they are identical,
> some sort of Dos. The Src IPs are spoofed and they vary but
> their destinations are the same.
>  I would like to have snort alert me when this happens and
> the only signature I can find to identify the incident is by
> the sending packet rate. I have been planning to modify
> spp_portscan to alert me when packet rate from certain station
> or subnet exceed certain threshold but the code looks daunting.
>  Does anyone know how to monitor such an event? Or I need
> to reinvent the wheel here.
> thank you all.
>
> Tu Nguyen
> nguyen () ucalgary ca
>
>
>
> _______________________________________________________________
>
> Have big pipes? SourceForge.net is looking for download mirrors. We supply
> the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users