Snort mailing list archives
RE: catching traffic spikes
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Mon, 27 Jan 2003 12:24:59 -0500
You can also use tools like ntop to generate protocol and host related statistics in a graphical format, which might in turn help trim down the amount of logfile analysis you need to do.
-----Original Message----- From: Kenneth G. Arnold [mailto:bkarnold () cbu edu] Sent: Sunday, January 26, 2003 9:50 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] catching traffic spikes Does this graph represent traffic entering and leaving your network from the internet? Does it pass through a firewall? Are you using Packetshaper? A firewall can keep very good logs of all activity that passes through it. Analysis of those logs would probably tell you what protocol, what source, what destination and what ports are being used. If you are using packetshaper, the job is much easier since it will tell you the protocol and the application within that protocol that is being used very easily. My guess is that you could probably find the information faster using one of those two means rather than trying to use snort to find it. Ken On Sun, 26 Jan 2003, Richard Chmura wrote:This is totally unrelated to the recent MS-SQL worm :-) I've been trying to figure out the nature of the seeminglyrandom trafficspikes on my mrtg graph. I put some snort rules in placebut I was unableto filter to figure out more about these spikes. The graph is at:http://members.rogers.com/rchmura/eth0sar-week.png Youcan see the spikes on the green (IN) and blue(OUT) values.The orange lineit's just (green / blue) ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- catching traffic spikes Richard Chmura (Jan 25)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 26)
- <Possible follow-ups>
- RE: catching traffic spikes Fraser Hugh (Jan 27)
- Re: catching traffic spikes W. Salet (Jan 27)
- Re: catching traffic spikes Kenneth G. Arnold (Jan 27)
- Re: catching traffic spikes twig les (Jan 27)
- Re: catching traffic spikes James-lists (Jan 27)
- Re: catching traffic spikes W. Salet (Jan 27)
- RE: catching traffic spikes O'Flynn, Derek (Jan 27)