Snort mailing list archives
Re: LaBrea escalates event volume
From: Chris Green <cmg () sourcefire com>
Date: Mon, 18 Mar 2002 20:15:39 -0500
Bill McCarty <bmccarty () apu edu> writes:
Hi James,From what I can make out, these are typical scans and probes. If they're atall unusual, they're unusual in volume, not characteristics. The majority -- perhaps 75% -- are TCP connections to port 80. A large minority -- perhaps 10% -- are ICMP, mainly pings and replies. Then, we have the usual 21, 22, 111, 443, et cetera, making up the balance. I chose to write custom alerts against these events because an attempt to access a non-existent host on a private network seemed to me to be at least somewhat hostile. The volume of non-custom Snort alerts that I see does not seem more than that reported by others.
Ok knowing they are custom rules causes a lot less eyebrows to raise up ;-) 75% are probably code red/nimda ( these machines have no webservers correct? ) 10% are probably ping sweeps and the rest are the sweeps we all know and love <sigh> -- Chris Green <cmg () sourcefire com> You now have 14 minutes to reach minimum safe distance. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume james (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume Chris Green (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume Chris Green (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 27)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume james (Mar 18)