North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Using snort to detect if your users are doing interesting things?

  • From: Sam Hayes Merritt, III
  • Date: Thu Jun 09 11:59:24 2005

I'm wondering what is the best way to detect people doing these things on my end. I realize there are methods to protect myself from people attacking from the outside but I'm not real sure how to pinpoint who is really being loud on the inside.
One of the best things we did was setup a snort box with barnyard logging to a mysql server. The snort box has an IP out of each ARIN allocation we have.

On a schedule, we purge the logs in the mysql server that did not come from our IP space and if there are X number of things from one of our IPs, open an abuse ticket which then looks up what type of connection that IP is and finds the specific user. Its then a manual process to hit a 'turn off and note their account' button or notify a downstream ISP.

This setup appears to catch a ton of the worms that scan a /8. I'm sure there is probably a better way of doing this, but without throwing a box at each network access point or better utilizing cflow, I couldn't come up with it.