As it was already noted, you need to be very careful about how you set your IDS up, specifically if you choose snort.
Snort is a very powerful tool, when used correctly.  Unfortunately, when used incorrectly, it can hose your network over

completely.

My suggestion, in the case that you'll use snort, is to do some extensive testing on a non-production network.
Take the time to learn and understand its functionality and intended purpose.

Tim



Thor Lancelot Simon <tls@NetBSD.ORG>
Sent by: owner-nanog@merit.edu

06/09/2005 11:33 AM
Please respond to
tls@rek.tjls.com

To
Drew Weaver <drew.weaver@thenap.com>
cc
nanog@merit.edu
Subject
Re: Using snort to detect if your users are doing interesting things?






On Thu, Jun 09, 2005 at 11:45:54AM -0400, Drew Weaver wrote:
> I'm wondering what is the best way to detect people doing these things
> on my end. I realize there are methods to protect myself from people
> attacking from the outside but I'm not real sure how to pinpoint who is
> really being loud on the inside.

Any IDS ought to be able to do this.  The problem will be figuring out
where to connect its taps, and how to provide enough capacity at those
points to do so without negatively impacting your overall network
performance.

You should be lauded for doing this.  If all providers did it the
Internet would be a much, much safer place.

> I did have one somewhat silly question.. if you look at the statistics
> of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps
> in (pretty much equal in/out) but hardly any bandwidth at all can anyone
> think of a single application that would mimic that behavior?

VoIP with a low-rate codec, or some quantitatively similar multimedia
or gaming application?

--
Thor Lancelot Simon                                                       tls@rek.tjls.com

"The inconsistency is startling, though admittedly, if consistency is to be
abandoned or transcended, there is no problem."                                  - Noam Chomsky