University Effectively Using Anomaly Detection: Page 2
One time a science department was sending 30Mb streams of data at the rate of up to 3Gb per hour. It turned out they were doing a geographic database exchange with the University of Kansas, a very acceptable academic use.
Sometimes UNB helps other organizations understand the nature of new attacks. Recently, for example, the university detected a bot that was polling ports with a certain IP address range, behavior not seen before. It began working with SANS Institute to correlate reports and gather information. The administrators added some parameters to QRadar to search for this bot and when it sees it, clean it up.
The MyDoom attack was detected several weeks ago, and cleaned up off several affected servers within hours. "A quick response is important," Jacobs says.
No network engineer today would be without Sniffer on a local area network. In Jacobs' view, "The next thing is that no network engineer should be without QRadar for watching the wide area network."