[81433] in North American Network Operators' Group
RE: Using snort to detect if your users are doing interesting things?
daemon@ATHENA.MIT.EDU (Jordan Medlen)
Thu Jun 9 13:33:58 2005
Reply-To: <jmedlen@sagonet.com>
From: "Jordan Medlen" <jmedlen@sagonet.com>
To: <nanog@merit.edu>
Date: Thu, 9 Jun 2005 13:31:16 -0400
In-Reply-To: <B9ECBF8D89E7684EB63FF250E8788B191195DB@BIGLOG.thenap.com>
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_0129_01C56CF7.83261480
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
We just finished deploying a Snort IDS system on our network. The task =
of
doing so was well worth the effort, and quite a bit of effort and =
resources
were needed for our deployment. Due to the fact that we have a sustained
5Gbps of traffic to monitor in our Tampa data center alone, a simple =
server
running Snort was just not going to cut it and rather than deploying off =
of
our core routers in Tampa, which would catch inbound and outbound =
traffic,
we decided after our testing that placing our tap points on our core =
routers
was just not going to be sufficient due to the amount of abuse we saw in
testing between customers in our facility. We decided to build a single
server for each of our distribution switches at all of our locations =
that
would communicate to a central server running the ACID console. This
deployment has allowed us to gather so much information about what =
*TRULY*
is and has been going on, that we wonder why we didn=92t do this sooner. =
=20
Please keep in mind that there are many right ways to deploy an IDS =
system,
however only one is really going to fit *most* of your needs initially. =
With
some time, patience, and quite a bit of caffine, you should be well on =
your
way to dropping your abusive traffic on your network. Good luck to you!
=20
--
Jordan Medlen
Chief Network Engineer
Sago Networks
=20
_____ =20
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of =
Drew
Weaver
Sent: Thursday, June 09, 2005 11:46 AM
To: nanog@merit.edu
Subject: Using snort to detect if your users are doing interesting =
things?
=20
Howdy, I am not sure if this is the proper place, if not =
I=92ve
noticed you guys know what to do so I=92ll put the fire retardant suit =
on now.
Recently due to growth we have seen an influx of =93different=94 and
=93interesting=94 types of characters ending up on our network. They =
like to do
all sorts of things, port scan /8s spam, setup botnets with the =
controllers
hosted on my network.. etc. I=92m wondering what is the best way to =
detect
people doing these things on my end. I realize there are methods to =
protect
myself from people attacking from the outside but I=92m not real sure =
how to
pinpoint who is really being loud on the inside.
=20
I did have one somewhat silly question.. if you look at the statistics =
of a
Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps in
(pretty much equal in/out) but hardly any bandwidth at all can anyone =
think
of a single application that would mimic that behavior?
=20
Sorry if this is elementary network school knowledge.
-Drew
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005
--=20
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005
=20
------=_NextPart_000_0129_01C56CF7.83261480
Content-Type: text/html;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dwindows-1250">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:Arial;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-AU link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>We just finished deploying a Snort =
IDS system
on our network. The task of doing so was well worth the effort, and =
quite a bit
of effort and resources were needed for our deployment. Due to the fact =
that we
have a sustained 5Gbps of traffic to monitor in our Tampa data center =
alone, a
simple server running Snort was just not going to cut it and rather than
deploying off of our core routers in Tampa, which would catch inbound =
and
outbound traffic, we decided after our testing that placing our tap =
points on
our core routers was just not going to be sufficient due to the amount =
of abuse
we saw in testing between customers in our facility. We decided to build =
a
single server for each of our distribution switches at all of our =
locations
that would communicate to a central server running the ACID console. =
This
deployment has allowed us to gather so much information about what =
*<b><span
style=3D'font-weight:bold'>TRULY</span></b>* is and has been going on, =
that we
wonder why we didn’t do this sooner. <o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Please keep in mind that there are =
many
right ways to deploy an IDS system, however only one is really going to =
fit *<b><span
style=3D'font-weight:bold'>most</span></b>* of your needs initially. =
With some
time, patience, and quite a bit of caffine, you should be well on your =
way to dropping
your abusive traffic on your network. Good luck to =
you!<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>--<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Jordan =
Medlen<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Chief Network =
Engineer<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Sago =
Networks<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span lang=3DEN-US style=3D'font-size:12.0pt'>
<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>
</span></font></div>
<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span lang=3DEN-US
style=3D'font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</spa=
n></font></b><font
size=3D2 face=3DTahoma><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:Tahoma'>
owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] <b><span =
style=3D'font-weight:
bold'>On Behalf Of </span></b>Drew Weaver<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, June 09, =
2005
11:46 AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> nanog@merit.edu<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Using snort to =
detect if
your users are doing interesting things?</span></font><span =
lang=3DEN-US><o:p></o:p></span></p>
</div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'>  =
;
Howdy, I am not sure if this is the proper place, if not I’ve =
noticed you
guys know what to do so I’ll put the fire retardant suit on now. =
Recently
due to growth we have seen an influx of “different” and
“interesting” types of characters ending up on our network. =
They
like to do all sorts of things, port scan /8s spam, setup botnets with =
the
controllers hosted on my network.. etc. I’m wondering what is the =
best
way to detect people doing these things on my end. I realize there are =
methods
to protect myself from people attacking from the outside but I’m =
not real
sure how to pinpoint who is really being loud on the =
inside.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-indent:36.0pt'><font size=3D2 =
face=3DArial><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:Arial'>I did have one =
somewhat
silly question.. if you look at the statistics of a Fast Ethernet port, =
and it
is doing both 2000 pps out, and 2000 pps in (pretty much equal in/out) =
but
hardly any bandwidth at all can anyone think of a single application =
that would
mimic that behavior?<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'>Sorry if this is elementary network school =
knowledge.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'>-Drew<o:p></o:p></span></font></p>
</div>
</body>
</html>
<BR>
<P><FONT SIZE=3D2>--<BR>
No virus found in this incoming message.<BR>
Checked by AVG Anti-Virus.<BR>
Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005<BR>
</FONT> </P><BR>
<P><FONT SIZE=3D2>--<BR>
No virus found in this outgoing message.<BR>
Checked by AVG Anti-Virus.<BR>
Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005<BR>
</FONT> </P>
------=_NextPart_000_0129_01C56CF7.83261480--
