[nsp] Detecting hacked boxes on switch
Jared Mauch
jared at puck.nether.net
Tue Jul 1 11:27:44 EDT 2003
What you probally want to do is take your existing snmp polling
for graphs on a machine and create some backend that processes the
data and determines if a host is outside its normal operating
bit (or packet) rate.
ie: anomoly detection. know that some people have a low bitrate
of 256k and don't go over it except in one or two rare cases when downloading
large files.
I'm working on a feature for my system + network monitoring
software (free, gpl) sysmon (sysmon.org) that will do this.
It allows you to specify a snmp counter (or oid) and what the
rate/second is it should increment. You could then trigger based on
a higher or lower than usual rate and have it send email to your
pager, cell or similar ..
I believe there are also programs that will do this with your MRTG
and RRD data as well.
- jared
On Tue, Jul 01, 2003 at 09:27:19AM -0400, James hampton wrote:
> Our bandwidth meters are maxing out on an incoming link to our provider, this usually means one of our boxes has been hacked and someones pushing a bunch of mp3's or what ever onto one of our boxes. Most of our servers are connected to one of two switches, is there anyway I can look at switchport utilization or some other method on the switch to help narrow down or identify which box is being hacked?
> James
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the cisco-nsp
mailing list