Snort mailing list archives
Re: LaBrea escalates event volume
From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 18 Mar 2002 18:28:32 -0800
Hi Chris, I don't think that the port 80 stuff is CodeRed or similar. Here's why.When I turn off my custom rules, I don't get all that many alerts. However, I do get an occasional CodeRed. I conclude that, if the packets were CodeRed, I'd continue getting a high volume of alerts when I turn off my custom rules. But, the volume goes down by a order of magnitude. So, I figure they're not CodeRed. Does that make sense?
Looking at packet logs, I see stuff like "GET /dddddddddddddddddddddddd". I take these for intended buffer overflows. But, they generally seem way too short to do the job. Mind you, I have little experience with IIS and don't currently run any IIS boxes. So, perhaps I'm overstating its resistance to such apparently puny requests.
But, even if I'm wrong and it is CodeRed or similar traffic, aren't I seeing too many of them? BTW, they're not coming from my network neighborhood. A goodly number come from Europe or Asia/Pacific. Many of the IP addresses are not resolvable by DNS.
You're right that most of the destination hosts are mere phantoms created by LaBrea.
Thanks!--On Monday, March 18, 2002 8:15 PM -0500 Chris Green <cmg () sourcefire com> wrote:
Bill McCarty <bmccarty () apu edu> writes:Hi James,From what I can make out, these are typical scans and probes. If they're atall unusual, they're unusual in volume, not characteristics. The majority -- perhaps 75% -- are TCP connections to port 80. A large minority -- perhaps 10% -- are ICMP, mainly pings and replies. Then, we have the usual 21, 22, 111, 443, et cetera, making up the balance. I chose to write custom alerts against these events because an attempt to access a non-existent host on a private network seemed to me to be at least somewhat hostile. The volume of non-custom Snort alerts that I see does not seem more than that reported by others.Ok knowing they are custom rules causes a lot less eyebrows to raise up ;-) 75% are probably code red/nimda ( these machines have no webservers correct? ) 10% are probably ping sweeps and the rest are the sweeps we all know and love <sigh> -- Chris Green <cmg () sourcefire com> You now have 14 minutes to reach minimum safe distance.
--------------------------------------------------- Bill McCarty, Ph.D. Associate Professor of Web & Information Technology School of Business and Management Azusa Pacific University _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume james (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume Chris Green (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume Chris Green (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 27)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume james (Mar 18)