Snort mailing list archives
Re: LaBrea escalates event volume
From: "james" <the_saint_james () yahoo com>
Date: Mon, 18 Mar 2002 15:07:12 -0700
I recently deployed LaBrea and added Snort rules that generate alerts when a foreign host interacts with a LaBrea phantom host. I've been amazed at the amount of associated traffic. LaBrea only tarpits a host every few seconds. But, I see 4,000-10,000 attempted connections per hour against the phantom hosts. These don't appear to be a concerted attack by one or a few individuals. The IP addresses are quite varied and don't seem to reappear often. I'm simply getting hit from everywhere.
What is the nature of these "4,000-10,000 attempted connections per hour against the phantom hosts" ? (ie what port, exploit, ect) james _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume james (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume Chris Green (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume Chris Green (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 27)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume james (Mar 18)