Using snort to detect if your users are doing interesting things?
Sam Hayes Merritt, III
sam at themerritts.org
Thu Jun 9 15:58:21 UTC 2005
> I'm wondering what is the best way to detect people doing these things
> on my end. I realize there are methods to protect myself from people
> attacking from the outside but I'm not real sure how to pinpoint who is
> really being loud on the inside.
One of the best things we did was setup a snort box with barnyard logging
to a mysql server. The snort box has an IP out of each ARIN allocation we
have.
On a schedule, we purge the logs in the mysql server that did not come
from our IP space and if there are X number of things from one of our IPs,
open an abuse ticket which then looks up what type of connection that IP
is and finds the specific user. Its then a manual process to hit a 'turn
off and note their account' button or notify a downstream ISP.
This setup appears to catch a ton of the worms that scan a /8. I'm sure
there is probably a better way of doing this, but without throwing a box
at each network access point or better utilizing cflow, I couldn't come up
with it.
sam
More information about the NANOG
mailing list