[prev in list] [next in list] [prev in thread] [next in thread]
List: novalug
Subject: Re: [novalug] suspected suspicious network activity
From: "John Meagher" <jmeagher () patriot ! net>
Date: 2004-03-29 23:39:04
Message-ID: 005001c415e7$086bfce0$3c00a8c0 () JMEAGHERHOME
[Download RAW message or body]
----- Original Message -----
From: "Chris Sanner [Hitchhiker]" <hitch@propheteer.org>
> but I'm getting a lot of warnings and results that indicate that our
> network is being hammered after hours and over weekends.
> it's possible that this is "legitimate" traffic - people do tend to
> move some huge files around - but it's causing our network monitor to
> throw off alerts like crazy when "dig" on our dns server takes over
ten
> seconds to respond, or ping times on some of our switches does the
> same.
First thing I would do is ping around and find out just where it's
getting hammered.
--Is the slow response just for queries the DNS has to send outside over
a congested WAN or is the DNS itself slow?
--Which other servers are slow and where is most of the traffic going?
--Which ports are carrying the heavy traffic?
--Do you have a firewall with vpn features? You might be able to get a
report on traffic per user.
> I wouldn't suspect anything but a poor network setup, except this
NEVER
> happens during the day, when we're all using the systems for our
work -
> only overnight or over the weekends.
One thing that could cause some congestion on off hours is backups.
Is there any way I can set up
> something like snort to give me the TIMES of the events it's logging
> or any other way to check on this to let me see what's corresponding
to
> these messages?
If you're getting snort output, I think time tags are the default.
> I don't want to run a sniffer on our firewall system overnight - I'd
> fill the disk, among other things - any suggestions?
Run ethereal on another machine and connect it through a hub (e.g.
netgear EN104, -not a switch-) to the segment you want to monitor.
any at all would
> be helpful (though we don't have any systems I can take offline and
> do a thorough forensic analysis on...)
> --
_______________________________________________
novalug mailing list
novalug@tux.org
http://www.tux.org/mailman/listinfo/novalug
for subscribe/unsubscribe see web page
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic