Re: LaBrea escalates event volume

["james" <the_saint_james () yahoo com>]

> I recently deployed LaBrea and added Snort rules that generate alerts when
> a foreign host interacts with a LaBrea phantom host. I've been amazed at
> the amount of associated traffic.
>
> LaBrea only tarpits a host every few seconds. But, I see 4,000-10,000
> attempted connections per hour against the phantom hosts. These don't
> appear to be a concerted attack by one or a few individuals. The IP
> addresses are quite varied and don't seem to reappear often. I'm simply
> getting hit from everywhere.

What is the nature of these "4,000-10,000 attempted connections per hour
against the phantom hosts" ? (ie what port, exploit, ect)

james


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users