Security Incidents mailing list archives
Re: Full Plate of Crow
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Thu, 02 Aug 2001 07:09:58 +1200
On Wed, 01 Aug 2001 11:52:09 -0400 Chris Brenton <cbrenton () altenet com> wrote:
Alfred Huger wrote:Alot of the people mailing me last night and this morning were sending firewall logs, not IDS logs.
I'm one of them.
Agreed again. No packet decode, no confirmed hit. Otherwise we'll be looking at greatly skewed numbers. Using that criteria I could claim 14K+ Code Red infected systems back in April (oh wait, Code Red was not even around yet... ;).
I aso agree the we can not be certain that these are CR probes without IDS fingerprints. That said my data (from argus logs) measuring SYN packets to non existant/firewalled machines shows and expoential increase starting at midnight UTC and now I am seeing over 40,000 individual ips probing on port 80. Starting at ^:35 (utc + 1200) I am also seeing hits on the snort .ida rules ( 70 in the last half hour). All very odd!! Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Full Plate of Crow Alfred Huger (Aug 01)
- Re: Full Plate of Crow Chris Brenton (Aug 01)
- Re: Full Plate of Crow Russell Fulton (Aug 01)
- <Possible follow-ups>
- RE: Full Plate of Crow McCammon, Keith (Aug 01)
- Re: Full Plate of Crow Chris Brenton (Aug 01)