Snort mailing list archives
Re: LaBrea escalates event volume
From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 18 Mar 2002 21:51:20 -0800
Hi Chris, Ahh! I see where I've failed to explain fully.LaBrea is tricky. Its phantom hosts _do_ complete a 3-way TCP handshake with an attacker. So, even though these IPs have no associated web server, an attempt to connect to port 80 -- or whatever port the attackers is using -- via TCP succeeds. That's why I'm able to inspect the logged packets.
Cheers,--On Monday, March 18, 2002 11:13 PM -0500 Chris Green <cmg () sourcefire com> wrote:
Bill McCarty <bmccarty () apu edu> writes:Hi Chris, I don't think that the port 80 stuff is CodeRed or similar. Here's why. When I turn off my custom rules, I don't get all that many alerts. However, I do get an occasional CodeRed. I conclude that, if the packets were CodeRed, I'd continue getting a high volume of alerts when I turn off my custom rules. But, the volume goes down by a order of magnitude. So, I figure they're not CodeRed. Does that make sense?Do these machines have webservers on them? If they don't, you're not going to see the successful TCP connections.. Though if they do have webservers, I have no answer.
--------------------------------------------------- Bill McCarty _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume james (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume Chris Green (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume Chris Green (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume Bill McCarty (Mar 27)
- Re: LaBrea escalates event volume Bill McCarty (Mar 18)
- Re: LaBrea escalates event volume james (Mar 18)