"We would phone the student to talk about it," Jacobs says.

One time a science department was sending 30Mb streams of data at the rate of up to 3Gb per hour. It turned out they were doing a geographic database exchange with the University of Kansas, a very acceptable academic use.

Sometimes UNB helps other organizations understand the nature of new attacks. Recently, for example, the university detected a bot that was polling ports with a certain IP address range, behavior not seen before. It began working with SANS Institute to correlate reports and gather information. The administrators added some parameters to QRadar to search for this bot and when it sees it, clean it up.

The MyDoom attack was detected several weeks ago, and cleaned up off several affected servers within hours. "A quick response is important," Jacobs says.

Jacobs' favorite view is one showing categories of observed traffic such as: Mostly In, Mostly Out, Out Only, In Only. If a machine is sending 500 or 1,000 packets out and getting no response, it is either a badly written program or malicious code. And if similar traffic is coming in only, "something is going on that should not be," Jacobs says. It gets cleaned up.

No network engineer today would be without Sniffer on a local area network. In Jacobs' view, "The next thing is that no network engineer should be without QRadar for watching the wide area network."