Snort mailing list archives
Some standards in my alerts
From: Joao Daniel Neves <joaodanielnevesss () hotmail com>
Date: Tue, 2 Apr 2013 21:09:21 +0300
Hi, I have noticied a 'little standard' in my alerts. For example, my comapany have more than 1000 IP adress. I'm using BASE, when I make a filter to show only uniq IP's sources for a given alert, I can notice that a lot of alerts stop scanning my network when it reach about 700 scanned IPs. (700 diferents IP's destinations) (In other generally one IP source give up scanning my network when it have scanned about 700 IP's) For example: IP X.Y.Z.K tried 717 IP's of my network. (The rule that's trigged it was traceroute ). IP A.B.C.D tried 699 IP's of my network. (The rule that's trigged it was CyberKit Ping). And a lot of other exemples like this. I wish to know if some guys around the world have noticed some thing like this.
------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Some standards in my alerts Joao Daniel Neves (Apr 02)