[81427] in North American Network Operators' Group
Using snort to detect if your users are doing interesting things?
daemon@ATHENA.MIT.EDU (Drew Weaver)
Thu Jun 9 11:28:19 2005
Date: Thu, 9 Jun 2005 11:45:54 -0400
From: "Drew Weaver" <drew.weaver@thenap.com>
To: <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
------_=_NextPart_001_01C56D0A.521B0932
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Howdy, I am not sure if this is the proper place, if not
I've noticed you guys know what to do so I'll put the fire retardant
suit on now. Recently due to growth we have seen an influx of
"different" and "interesting" types of characters ending up on our
network. They like to do all sorts of things, port scan /8s spam, setup
botnets with the controllers hosted on my network.. etc. I'm wondering
what is the best way to detect people doing these things on my end. I
realize there are methods to protect myself from people attacking from
the outside but I'm not real sure how to pinpoint who is really being
loud on the inside.
=20
I did have one somewhat silly question.. if you look at the statistics
of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps
in (pretty much equal in/out) but hardly any bandwidth at all can anyone
think of a single application that would mimic that behavior?
=20
Sorry if this is elementary network school knowledge.
-Drew
------_=_NextPart_001_01C56D0A.521B0932
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> =
Howdy,
I am not sure if this is the proper place, if not I’ve noticed you =
guys
know what to do so I’ll put the fire retardant suit on now. =
Recently due
to growth we have seen an influx of “different” and =
“interesting”
types of characters ending up on our network. They like to do all sorts =
of
things, port scan /8s spam, setup botnets with the controllers hosted on =
my
network.. etc. I’m wondering what is the best way to detect people =
doing
these things on my end. I realize there are methods to protect myself =
from
people attacking from the outside but I’m not real sure how to =
pinpoint
who is really being loud on the inside.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-indent:.5in'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I did have one somewhat =
silly
question.. if you look at the statistics of a Fast Ethernet port, and it =
is
doing both 2000 pps out, and 2000 pps in (pretty much equal in/out) but =
hardly
any bandwidth at all can anyone think of a single application that would =
mimic
that behavior?<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Sorry if this is elementary network school =
knowledge.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>-Drew<o:p></o:p></span></font></p>
</div>
</body>
</html>
------_=_NextPart_001_01C56D0A.521B0932--
