[c-nsp] OT: Recommendations for IDS / border router monitoring

[Roger Weeks]

Greetings all -

If you've read any of my posts before you know I work for a small ISP.
We have approximately 300 DSL customers, we do web hosting, email, a  
few colocated boxes, some ISDN customers, and a lot of remaining  
rural dialup users.

I've been here about 8 months now.  In that time we've done a lot to  
upgrade server and network infrastructure from the mess it was  
before, and have vastly improved our reliability.

Our upstream ISP connection moved from multiple T1s to a DS3.  The  
fiber is also where we terminate our DSL customers on a Cisco 7206VXR  
using RBE.

I currently use Cacti to monitor bandwidth utilization for all of our  
servers and network connections, including all of our DSL customers.

I'm looking for recommendations on what to do for intrusion  
detection, but also for monitoring bandwidth usage so I can have some  
idea of what causes, say a traffic spike during the middle of the day.

Being inclined towards open source, my first thoughts are to look at  
snort for IDS and netflow with flowscan, flow-tools and CUFlow or  
JKFlow.

However, my previous experience with snort has been less than  
stellar.  It obviously works but getting usable data from it seems to  
be like pulling teeth.

My question for list members - what are you using?  How do you get  
notified if your bandwidth usage suddenly spikes by 2mb over a normal  
average?  What do you use for IDS?  Does it give you usable data, or  
are you just overloaded with false positives?

Lastly, when you're presented with some sort of evil traffic - DoS,  
worms, zombies, directory harvests, etc - what are you using to get  
notified that something bad is happening?

Thanks for any advice or pointers.

--
Roger J. Weeks
Systems & Network Administrator
Mendocino Community Network