Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LaBrea escalates event volume

From: Chris Green <cmg () sourcefire com>
Date: Mon, 18 Mar 2002 23:13:34 -0500
Bill McCarty <bmccarty () apu edu> writes:


Hi Chris,

I don't think that the port 80 stuff is CodeRed or similar. Here's why.

When I turn off my custom rules, I don't get all that many
alerts. However, I do get an occasional CodeRed. I conclude that, if
the packets were CodeRed, I'd continue getting a high volume of alerts
when I turn off my custom rules. But, the volume goes down by a order
of magnitude. So, I figure they're not CodeRed. Does that make
sense?


Do these machines have webservers on them?  If they don't, you're not
going to see the successful TCP connections.. Though if they do have
webservers, I have no answer.

-- 
Chris Green <cmg () sourcefire com>
This is my signature. There are many like it but this one is mine.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: