Using snort to detect if your users are doing interesting things?

• Previous message (by thread): Using snort to detect if your users are doing interesting things?
• Next message (by thread): Using snort to detect if your users are doing interesting things?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We just finished deploying a Snort IDS system on our network. The task of
doing so was well worth the effort, and quite a bit of effort and resources
were needed for our deployment. Due to the fact that we have a sustained
5Gbps of traffic to monitor in our Tampa data center alone, a simple server
running Snort was just not going to cut it and rather than deploying off of
our core routers in Tampa, which would catch inbound and outbound traffic,
we decided after our testing that placing our tap points on our core routers
was just not going to be sufficient due to the amount of abuse we saw in
testing between customers in our facility. We decided to build a single
server for each of our distribution switches at all of our locations that
would communicate to a central server running the ACID console. This
deployment has allowed us to gather so much information about what *TRULY*
is and has been going on, that we wonder why we didn’t do this sooner. 

 

Please keep in mind that there are many right ways to deploy an IDS system,
however only one is really going to fit *most* of your needs initially. With
some time, patience, and quite a bit of caffine, you should be well on your
way to dropping your abusive traffic on your network. Good luck to you!

 

--

Jordan Medlen

Chief Network Engineer

Sago Networks

 

   _____  

From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of Drew
Weaver
Sent: Thursday, June 09, 2005 11:46 AM
To: nanog at merit.edu
Subject: Using snort to detect if your users are doing interesting things?

 

            Howdy, I am not sure if this is the proper place, if not I’ve
noticed you guys know what to do so I’ll put the fire retardant suit on now.
Recently due to growth we have seen an influx of “different” and
“interesting” types of characters ending up on our network. They like to do
all sorts of things, port scan /8s spam, setup botnets with the controllers
hosted on my network.. etc. I’m wondering what is the best way to detect
people doing these things on my end. I realize there are methods to protect
myself from people attacking from the outside but I’m not real sure how to
pinpoint who is really being loud on the inside.

 

I did have one somewhat silly question.. if you look at the statistics of a
Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps in
(pretty much equal in/out) but hardly any bandwidth at all can anyone think
of a single application that would mimic that behavior?

 

Sorry if this is elementary network school knowledge.

-Drew


--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20050609/186ca019/attachment.html>

• Previous message (by thread): Using snort to detect if your users are doing interesting things?
• Next message (by thread): Using snort to detect if your users are doing interesting things?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]