[prev in list] [next in list] [prev in thread] [next in thread] 

List:       novalug
Subject:    Re: [novalug] suspected suspicious network activity
From:       "John Meagher" <jmeagher () patriot ! net>
Date:       2004-03-29 23:39:04
Message-ID: 005001c415e7$086bfce0$3c00a8c0 () JMEAGHERHOME
[Download RAW message or body]


----- Original Message ----- 
From: "Chris Sanner [Hitchhiker]" <hitch@propheteer.org>
> but I'm getting a lot of warnings and results that indicate that our
> network is being hammered after hours and over weekends.
> it's possible that this is "legitimate" traffic - people do tend to
> move some huge files around - but it's causing our network monitor to
> throw off alerts like crazy when "dig" on our dns server takes over
ten
> seconds to respond, or ping times on some of our switches does the
> same.

First thing I would do is ping around and find out just where it's
getting hammered.
--Is the slow response just for queries the DNS has to send outside over
a congested WAN or is the DNS itself slow?
--Which other servers are slow and where is most of the traffic going?
--Which ports are carrying the heavy traffic?
--Do you have a firewall with vpn  features?  You might be able to get a
report on traffic per user.

> I wouldn't suspect anything but a poor network setup, except this
NEVER
> happens during the day, when we're all using the systems for our
work -
> only overnight or over the weekends.

One thing that could cause some congestion on off hours is backups.

Is there any way I can set up
> something like snort to give me the TIMES of the events it's logging
> or any other way to check on this to let me see what's corresponding
to
> these messages?

If you're getting snort output, I think time tags are the default.
> I don't want to run a sniffer on our firewall system overnight - I'd
> fill the disk, among other things - any suggestions?

Run ethereal on another machine and connect it through a hub (e.g.
netgear EN104, -not a switch-) to the segment you want to monitor.

any at all would
> be helpful (though we don't have any systems I can take offline and
> do a thorough forensic analysis on...)
> -- 


_______________________________________________
novalug mailing list
novalug@tux.org
http://www.tux.org/mailman/listinfo/novalug
for subscribe/unsubscribe see web page
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic