As it was already noted, you need to be very careful about how you set your IDS up, specifically if you choose snort. Snort is a very powerful tool, when used correctly. Unfortunately, when used incorrectly, it can hose your network over completely. My suggestion, in the case that you'll use snort, is to do some extensive testing on a non-production network. Take the time to learn and understand its functionality and intended purpose. Tim Thor Lancelot Simon <tls@NetBSD.ORG> Sent by: owner-nanog@merit.edu 06/09/2005 11:33 AM Please respond to tls@rek.tjls.com To Drew Weaver <drew.weaver@thenap.com> cc nanog@merit.edu Subject Re: Using snort to detect if your users are doing interesting things? On Thu, Jun 09, 2005 at 11:45:54AM -0400, Drew Weaver wrote:
I'm wondering what is the best way to detect people doing these things on my end. I realize there are methods to protect myself from people attacking from the outside but I'm not real sure how to pinpoint who is really being loud on the inside.
Any IDS ought to be able to do this. The problem will be figuring out where to connect its taps, and how to provide enough capacity at those points to do so without negatively impacting your overall network performance. You should be lauded for doing this. If all providers did it the Internet would be a much, much safer place.
I did have one somewhat silly question.. if you look at the statistics of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps in (pretty much equal in/out) but hardly any bandwidth at all can anyone think of a single application that would mimic that behavior?
VoIP with a low-rate codec, or some quantitatively similar multimedia or gaming application? -- Thor Lancelot Simon tls@rek.tjls.com "The inconsistency is startling, though admittedly, if consistency is to be abandoned or transcended, there is no problem." - Noam Chomsky