We just finished deploying a Snort IDS system
on our network. The task of doing so was well worth the effort, and quite a bit
of effort and resources were needed for our deployment. Due to the fact that we
have a sustained 5Gbps of traffic to monitor in our Tampa data center alone, a
simple server running Snort was just not going to cut it and rather than
deploying off of our core routers in Tampa, which would catch inbound and
outbound traffic, we decided after our testing that placing our tap points on
our core routers was just not going to be sufficient due to the amount of abuse
we saw in testing between customers in our facility. We decided to build a
single server for each of our distribution switches at all of our locations
that would communicate to a central server running the ACID console. This
deployment has allowed us to gather so much information about what *TRULY* is and has been going on, that we
wonder why we didn’t do this sooner.
Please keep in mind that there are many
right ways to deploy an IDS system, however only one is really going to fit *most* of your needs initially. With some
time, patience, and quite a bit of caffine, you should be well on your way to dropping
your abusive traffic on your network. Good luck to you!
--
Jordan Medlen
Chief Network Engineer
Sago Networks
From:
owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Drew Weaver
Sent: Thursday, June 09, 2005
11:46 AM
To: nanog@merit.edu
Subject: Using snort to detect if
your users are doing interesting things?
Howdy, I am not sure if this is the proper place, if not I’ve noticed you
guys know what to do so I’ll put the fire retardant suit on now. Recently
due to growth we have seen an influx of “different” and
“interesting” types of characters ending up on our network. They
like to do all sorts of things, port scan /8s spam, setup botnets with the
controllers hosted on my network.. etc. I’m wondering what is the best
way to detect people doing these things on my end. I realize there are methods
to protect myself from people attacking from the outside but I’m not real
sure how to pinpoint who is really being loud on the inside.
I did have one somewhat
silly question.. if you look at the statistics of a Fast Ethernet port, and it
is doing both 2000 pps out, and 2000 pps in (pretty much equal in/out) but
hardly any bandwidth at all can anyone think of a single application that would
mimic that behavior?
Sorry if this is elementary network school knowledge.
-Drew