[81429] in North American Network Operators' Group
Re: Using snort to detect if your users are doing interesting things?
daemon@ATHENA.MIT.EDU (trainier@kalsec.com)
Thu Jun 9 11:41:12 2005
In-Reply-To: <20050609153357.GA29899@panix.com>
To: nanog@merit.edu
From: trainier@kalsec.com
Date: Thu, 9 Jun 2005 11:36:22 -0400
Errors-To: owner-nanog@merit.edu
This is a multipart message in MIME format.
--=_alternative 00561C7E8525701B_=
Content-Type: text/plain; charset="US-ASCII"
As it was already noted, you need to be very careful about how you set
your IDS up, specifically if you choose snort.
Snort is a very powerful tool, when used correctly. Unfortunately, when
used incorrectly, it can hose your network over
completely.
My suggestion, in the case that you'll use snort, is to do some extensive
testing on a non-production network.
Take the time to learn and understand its functionality and intended
purpose.
Tim
Thor Lancelot Simon <tls@NetBSD.ORG>
Sent by: owner-nanog@merit.edu
06/09/2005 11:33 AM
Please respond to
tls@rek.tjls.com
To
Drew Weaver <drew.weaver@thenap.com>
cc
nanog@merit.edu
Subject
Re: Using snort to detect if your users are doing interesting things?
On Thu, Jun 09, 2005 at 11:45:54AM -0400, Drew Weaver wrote:
> I'm wondering what is the best way to detect people doing these things
> on my end. I realize there are methods to protect myself from people
> attacking from the outside but I'm not real sure how to pinpoint who is
> really being loud on the inside.
Any IDS ought to be able to do this. The problem will be figuring out
where to connect its taps, and how to provide enough capacity at those
points to do so without negatively impacting your overall network
performance.
You should be lauded for doing this. If all providers did it the
Internet would be a much, much safer place.
> I did have one somewhat silly question.. if you look at the statistics
> of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps
> in (pretty much equal in/out) but hardly any bandwidth at all can anyone
> think of a single application that would mimic that behavior?
VoIP with a low-rate codec, or some quantitatively similar multimedia
or gaming application?
--
Thor Lancelot Simon tls@rek.tjls.com
"The inconsistency is startling, though admittedly, if consistency is to
be
abandoned or transcended, there is no problem." - Noam Chomsky
--=_alternative 00561C7E8525701B_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">As it was already noted, you need to
be very careful about how you set your IDS up, specifically if you choose
snort.<br>
Snort is a very powerful tool, when used correctly. Unfortunately,
when used incorrectly, it can hose your network over</font>
<br><font size=2 face="sans-serif">completely.<br>
<br>
My suggestion, in the case that you'll use snort, is to do some extensive
testing on a non-production network.<br>
Take the time to learn and understand its functionality and intended purpose.<br>
<br>
Tim</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Thor Lancelot Simon <tls@NetBSD.ORG></b>
</font>
<br><font size=1 face="sans-serif">Sent by: owner-nanog@merit.edu</font>
<p><font size=1 face="sans-serif">06/09/2005 11:33 AM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
tls@rek.tjls.com</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">Drew Weaver <drew.weaver@thenap.com></font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top><font size=1 face="sans-serif">nanog@merit.edu</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">Re: Using snort to detect
if your users are doing interesting things?</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt><br>
On Thu, Jun 09, 2005 at 11:45:54AM -0400, Drew Weaver wrote:<br>
> I'm wondering what is the best way to detect people doing these things<br>
> on my end. I realize there are methods to protect myself from people<br>
> attacking from the outside but I'm not real sure how to pinpoint who
is<br>
> really being loud on the inside.<br>
<br>
Any IDS ought to be able to do this. The problem will be figuring
out<br>
where to connect its taps, and how to provide enough capacity at those<br>
points to do so without negatively impacting your overall network<br>
performance.<br>
<br>
You should be lauded for doing this. If all providers did it the<br>
Internet would be a much, much safer place.<br>
<br>
> I did have one somewhat silly question.. if you look at the statistics<br>
> of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000
pps<br>
> in (pretty much equal in/out) but hardly any bandwidth at all can
anyone<br>
> think of a single application that would mimic that behavior?<br>
<br>
VoIP with a low-rate codec, or some quantitatively similar multimedia<br>
or gaming application?<br>
<br>
-- <br>
Thor Lancelot Simon
tls@rek.tjls.com<br>
<br>
"The inconsistency is startling, though admittedly, if consistency
is to be<br>
abandoned or transcended, there is no problem."
- Noam Chomsky<br>
</tt></font>
<br>
--=_alternative 00561C7E8525701B_=--
