Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LaBrea escalates event volume

From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 18 Mar 2002 18:28:32 -0800
Hi Chris,

I don't think that the port 80 stuff is CodeRed or similar. Here's why.
When I turn off my custom rules, I don't get all that many alerts. However, I do get an occasional CodeRed. I conclude that, if the packets were CodeRed, I'd continue getting a high volume of alerts when I turn off my custom rules. But, the volume goes down by a order of magnitude. So, I figure they're not CodeRed. Does that make sense?
Looking at packet logs, I see stuff like "GET /dddddddddddddddddddddddd". I take these for intended buffer overflows. But, they generally seem way too short to do the job. Mind you, I have little experience with IIS and don't currently run any IIS boxes. So, perhaps I'm overstating its resistance to such apparently puny requests.
But, even if I'm wrong and it is CodeRed or similar traffic, aren't I seeing too many of them? BTW, they're not coming from my network neighborhood. A goodly number come from Europe or Asia/Pacific. Many of the IP addresses are not resolvable by DNS.
You're right that most of the destination hosts are mere phantoms created by LaBrea. 

Thanks!
--On Monday, March 18, 2002 8:15 PM -0500 Chris Green <cmg () sourcefire com> wrote: 


Bill McCarty <bmccarty () apu edu> writes:


Hi James,


From what I can make out, these are typical scans and probes. If
they're at

all unusual, they're unusual in volume, not characteristics.

The majority -- perhaps 75% -- are TCP connections to port 80. A large
minority -- perhaps 10% -- are ICMP, mainly pings and replies. Then,
we have the usual 21, 22, 111, 443, et cetera, making up the balance.

I chose to write custom alerts against these events because an attempt
to access a non-existent host on a private network seemed to me to be
at least somewhat hostile. The volume of non-custom Snort alerts that
I see does not seem more than that reported by others.


Ok knowing they are custom rules causes a lot less eyebrows to raise
up ;-)

75% are probably code red/nimda ( these machines have no webservers
correct? )

10% are probably ping sweeps

and the rest are the sweeps we all know and love <sigh>
--
Chris Green <cmg () sourcefire com>
You now have 14 minutes to reach minimum safe distance.






---------------------------------------------------
Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management
Azusa Pacific University

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: