[81434] in North American Network Operators' Group
Re: Using snort to detect if your users are doing interesting things?
daemon@ATHENA.MIT.EDU (Christian Kuhtz)
Thu Jun 9 14:38:52 2005
Date: Thu, 09 Jun 2005 14:37:59 -0400
From: "Christian Kuhtz" <christian.kuhtz@bellsouth.com>
To: <jmedlen@sagonet.com>, "nanog" <nanog@merit.edu>
In-Reply-To: <auto-000006281914@cgpro.iccx.net>
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
--B_3201172680_1263173
Content-Type: text/plain;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
And when you do set up such an arrangement, depending on the number of =
rules
you turn on, you can generate truly massive volumes of data to be =
analyzed
by ACID or other tools. It is relatively easy to deploy snort for large
volume, small number of rules type deployments. Aside from scaling the
collectors and management console themselves, it can even be a challenge =
to
aggregate all that data in a WAN deployment.
IDS has to be aimed carefully and then fired. And then one needs to ask
what the derived value is, and just how you=B9re going to deal with the =
info.
The latter being a magnificent operational challenge.
Or that=B9s at least been my experience. YMMV.
On 6/9/05 1:31 PM, "Jordan Medlen" <jmedlen@sagonet.com> wrote:
> We just finished deploying a Snort IDS system on our network. The task =
of
> doing so was well worth the effort, and quite a bit of effort and =
resources
> were needed for our deployment. Due to the fact that we have a =
sustained 5Gbps
> of traffic to monitor in our Tampa data center alone, a simple server =
running
> Snort was just not going to cut it and rather than deploying off of =
our core
> routers in Tampa, which would catch inbound and outbound traffic, we =
decided
> after our testing that placing our tap points on our core routers was =
just not
> going to be sufficient due to the amount of abuse we saw in testing =
between
> customers in our facility. We decided to build a single server for =
each of our
> distribution switches at all of our locations that would communicate =
to a
> central server running the ACID console. This deployment has allowed =
us to
> gather so much information about what *TRULY* is and has been going =
on, that
> we wonder why we didn=B9t do this sooner.
> =20
> Please keep in mind that there are many right ways to deploy an IDS =
system,
> however only one is really going to fit *most* of your needs =
initially. With
> some time, patience, and quite a bit of caffine, you should be well on =
your
> way to dropping your abusive traffic on your network. Good luck to =
you!
> =20
> --
> Jordan Medlen
> Chief Network Engineer
> Sago Networks
> =20
>=20
>=20
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf =
Of Drew
> Weaver
> Sent: Thursday, June 09, 2005 11:46 AM
> To: nanog@merit.edu
> Subject: Using snort to detect if your users are doing interesting =
things?
> =20
> Howdy, I am not sure if this is the proper place, if not =
I=B9ve
> noticed you guys know what to do so I=B9ll put the fire retardant suit =
on now.
> Recently due to growth we have seen an influx of =B3different=B2 and =
=B3interesting=B2
> types of characters ending up on our network. They like to do all =
sorts of
> things, port scan /8s spam, setup botnets with the controllers hosted =
on my
> network.. etc. I=B9m wondering what is the best way to detect people =
doing these
> things on my end. I realize there are methods to protect myself from =
people
> attacking from the outside but I=B9m not real sure how to pinpoint who =
is really
> being loud on the inside.
> =20
> I did have one somewhat silly question.. if you look at the statistics =
of a
> Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps in =
(pretty
> much equal in/out) but hardly any bandwidth at all can anyone think of =
a
> single application that would mimic that behavior?
> =20
> Sorry if this is elementary network school knowledge.
> -Drew
>=20
>=20
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005
> =20
>=20
>=20
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005
> =20
>=20
*****
"The information transmitted is intended only for the person or entity =
to which it is addressed and may contain confidential, proprietary, =
and/or privileged material. Any review, retransmission, dissemination =
or other use of, or taking of any action in reliance upon, this =
information by persons or entities other than the intended recipient is =
prohibited. If you received this in error, please contact the sender =
and delete the material from all computers." 118
--B_3201172680_1263173
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML>
<HEAD>
<TITLE>Re: Using snort to detect if your users are doing interesting =
things?</TITLE>
</HEAD>
<BODY>
<FONT FACE=3D"Verdana, Helvetica, Arial"><SPAN =
STYLE=3D'font-size:12.0px'><BR>
And when you do set up such an arrangement, depending on the number of =
rules you turn on, you can generate truly massive volumes of data to be =
analyzed by ACID or other tools. It is relatively easy to deploy =
snort for large volume, small number of rules type deployments. =
Aside from scaling the collectors and management console =
themselves, it can even be a challenge to aggregate all that data in a =
WAN deployment.<BR>
<BR>
IDS has to be aimed carefully and then fired. And then one needs =
to ask what the derived value is, and just how you’re going to =
deal with the info. The latter being a magnificent operational =
challenge.<BR>
<BR>
Or that’s at least been my experience. YMMV.<BR>
<BR>
<BR>
<BR>
<BR>
On 6/9/05 1:31 PM, "Jordan Medlen" <jmedlen@sagonet.com> =
wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT COLOR=3D"#000080"><FONT SIZE=3D"4"><FONT =
FACE=3D"Arial"><SPAN STYLE=3D'font-size:13.0px'>We just finished =
deploying a Snort IDS system on our network. The task of doing so was =
well worth the effort, and quite a bit of effort and resources were =
needed for our deployment. Due to the fact that we have a sustained =
5Gbps of traffic to monitor in our Tampa data center alone, a simple =
server running Snort was just not going to cut it and rather than =
deploying off of our core routers in Tampa, which would catch inbound =
and outbound traffic, we decided after our testing that placing our tap =
points on our core routers was just not going to be sufficient due to =
the amount of abuse we saw in testing between customers in our facility. =
We decided to build a single server for each of our distribution =
switches at all of our locations that would communicate to a central =
server running the ACID console. This deployment has allowed us to =
gather so much information about what *<B>TRULY</B>* is and has been =
going on, that we wonder why we didn’t do this sooner. <BR>
<BR>
Please keep in mind that there are many right ways to deploy an IDS =
system, however only one is really going to fit *<B>most</B>* of your =
needs initially. With some time, patience, and quite a bit of caffine, =
you should be well on your way to dropping your abusive traffic on your =
network. Good luck to you!<BR>
<BR>
--<BR>
Jordan Medlen<BR>
Chief Network Engineer<BR>
Sago Networks<BR>
<BR>
</SPAN></FONT></FONT></FONT><FONT FACE=3D"Verdana, Helvetica, =
Arial"><SPAN STYLE=3D'font-size:12.0px'>
</SPAN></FONT>
<P ALIGN=3DCENTER>
<FONT SIZE=3D"5"><FONT FACE=3D"Times New Roman"><SPAN =
STYLE=3D'font-size:16.0px'><HR ALIGN=3DCENTER SIZE=3D"2" =
WIDTH=3D"100%"></SPAN></FONT></FONT>
<P>
<FONT SIZE=3D"4"><FONT FACE=3D"Tahoma"><SPAN =
STYLE=3D'font-size:13.0px'><B>From:</B> owner-nanog@merit.edu [<a =
href=3D"mailto:owner-nanog@merit.edu]">mailto:owner-nanog@merit.edu]</a> =
<B>On Behalf Of </B>Drew Weaver<BR>
<B>Sent:</B> Thursday, June 09, 2005 11:46 AM<BR>
<B>To:</B> nanog@merit.edu<BR>
<B>Subject:</B> Using snort to detect if your users are doing =
interesting things?<BR>
</SPAN></FONT></FONT><FONT SIZE=3D"5"><FONT FACE=3D"Times New =
Roman"><SPAN STYLE=3D'font-size:16.0px'> <BR>
</SPAN></FONT></FONT><FONT SIZE=3D"4"><FONT FACE=3D"Arial"><SPAN =
STYLE=3D'font-size:13.0px'> =
Howdy, I am =
not sure if this is the proper place, if not I’ve noticed you guys =
know what to do so I’ll put the fire retardant suit on now. =
Recently due to growth we have seen an influx of “different” =
and “interesting” types of characters ending up on our =
network. They like to do all sorts of things, port scan /8s spam, setup =
botnets with the controllers hosted on my network.. etc. I’m =
wondering what is the best way to detect people doing these things on my =
end. I realize there are methods to protect myself from people attacking =
from the outside but I’m not real sure how to pinpoint who is =
really being loud on the inside.<BR>
<BR>
I did have one somewhat silly question.. if you look at the statistics =
of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps =
in (pretty much equal in/out) but hardly any bandwidth at all can anyone =
think of a single application that would mimic that behavior?<BR>
<BR>
Sorry if this is elementary network school knowledge.<BR>
-Drew<BR>
</SPAN></FONT></FONT><FONT FACE=3D"Verdana, Helvetica, Arial"><SPAN =
STYLE=3D'font-size:12.0px'><BR>
<BR>
--<BR>
No virus found in this incoming message.<BR>
Checked by AVG Anti-Virus.<BR>
Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005<BR>
<BR>
<BR>
<BR>
--<BR>
No virus found in this outgoing message.<BR>
Checked by AVG Anti-Virus.<BR>
Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005<BR>
<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE><FONT FACE=3D"Verdana, Helvetica, =
Arial"><SPAN STYLE=3D'font-size:12.0px'><BR>
</SPAN></FONT>
</BODY>
<!--[object_id=3D#bellsouth.com#]--><FONT size=3D2><FONT =
color=3D#0000ff>
<DIR>
<P align=3Dleft><FONT face=3DTahoma color=3D#000000 =
size=3D2><STRONG><EM>*****</EM></STRONG></FONT></P>
<P><FONT size=3D2><FONT face=3DTahoma><FONT color=3D#000000>"The =
information transmitted is intended only for the person or entity to =
which it is addressed and may contain confidential, proprietary, and/or =
privileged material. Any review, retransmission, dissemination or other =
use of, or taking of any action in reliance upon this information by =
persons or entities other than the intended recipient is prohibited. If =
you received this in error, please contact the sender and delete the =
material from all computers." 118<FONT =
size=3D1></P></FONT></FONT></FONT></FONT></DIR></FONT></FONT></HTML>
--B_3201172680_1263173--
