[81446] in North American Network Operators' Group
Re: Using snort to detect if your users are doing interesting things?
daemon@ATHENA.MIT.EDU (Nils Ketelsen)
Fri Jun 10 03:04:49 2005
Date: Fri, 10 Jun 2005 09:02:27 +0200
From: Nils Ketelsen <nils.ketelsen@kuehne-nagel.com>
To: nanog@merit.edu
In-Reply-To: <B9ECBF8D89E7684EB63FF250E8788B191195DB@BIGLOG.thenap.com>
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
--------------040101060502070901010305
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Drew Weaver wrote:
> Howdy, I am not sure if this is the proper place, if not
> I've noticed you guys know what to do so I'll put the fire retardant
> suit on now. Recently due to growth we have seen an influx of
> "different" and "interesting" types of characters ending up on our
> network. They like to do all sorts of things, port scan /8s spam, setup
> botnets with the controllers hosted on my network.. etc. I'm wondering
There are two basic methods, I guess:
1. You search for specific patterns. For example for somebody pinging
more than n addresses in a specific time frame. If you know what you are
looking for, you can set something up to do it easily.
2. You look for something strange. You will need some kind of
statistical method then. They have a tendency to produce false positives
from time to time, so you better look at the results closely.
> I did have one somewhat silly question.. if you look at the statistics
> of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps
> in (pretty much equal in/out) but hardly any bandwidth at all can anyone
> think of a single application that would mimic that behavior?
DNS-Servers?
Nils
--------------040101060502070901010305
Content-Type: text/x-vcard; charset=utf-8; name="nils.ketelsen.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="nils.ketelsen.vcf"
begin:vcard
fn:Nils Ketelsen
n:Ketelsen;Nils
org:Kuehne + Nagel (AG&Co) KG;Ham MI-GP
adr:;;Ferdinandstr. 29;Hamburg;;20095;Germany
email;internet:nils.ketelsen@kuehne-nagel.com
tel;work:+49 40 32915 236
tel;fax:+49 40 32915 500
tel;cell:+49 172 4451246
x-mozilla-html:FALSE
url:http://www.kuehne-nagel.com/
version:2.1
end:vcard
--------------040101060502070901010305--
