[81430] in North American Network Operators' Group
Re: Using snort to detect if your users are doing interesting things?
daemon@ATHENA.MIT.EDU (Sam Hayes Merritt, III)
Thu Jun 9 11:58:48 2005
Date: Thu, 9 Jun 2005 10:58:21 -0500 (CDT)
From: "Sam Hayes Merritt, III" <sam@themerritts.org>
To: Drew Weaver <drew.weaver@thenap.com>
Cc: nanog@merit.edu
In-Reply-To: <B9ECBF8D89E7684EB63FF250E8788B191195DB@BIGLOG.thenap.com>
Errors-To: owner-nanog@merit.edu
> I'm wondering what is the best way to detect people doing these things
> on my end. I realize there are methods to protect myself from people
> attacking from the outside but I'm not real sure how to pinpoint who is
> really being loud on the inside.
One of the best things we did was setup a snort box with barnyard logging
to a mysql server. The snort box has an IP out of each ARIN allocation we
have.
On a schedule, we purge the logs in the mysql server that did not come
from our IP space and if there are X number of things from one of our IPs,
open an abuse ticket which then looks up what type of connection that IP
is and finds the specific user. Its then a manual process to hit a 'turn
off and note their account' button or notify a downstream ISP.
This setup appears to catch a ton of the worms that scan a /8. I'm sure
there is probably a better way of doing this, but without throwing a box
at each network access point or better utilizing cflow, I couldn't come up
with it.
sam
