Security Incidents mailing list archives
explanation (fwd)
From: Alfred Huger <ah () securityfocus com>
Date: Wed, 1 Aug 2001 10:35:13 -0600 (MDT)
VP Engineering SecurityFocus.com "Vae Victis" ---------- Forwarded message ---------- Date: Wed, 1 Aug 2001 12:31:30 -0400 (EDT) From: Ken Eichman <keichman () cas org> To: handler () incidents org, jullrich () euclidian com, cert () cert mil, cert () cert org, marc () eeye com, vicki () incidents org, nipc.watch () fbi gov, alanpaller () aol com, ah () securityfocus com Cc: keichman () cas org, krichardson () cas org Subject: explanation Okay just to explain where I'm getting the numbers. Like last go-around, I'm recording tcp header info for all inbound traffic to our class-b address space on our IDS. Thowing out our 'valid' http traffic I'm left with the bogus. It could be superfluous misinformation thrown in to the http traffic to skew/hide/whatever; HEADS, GET x, whatever. We have 25 internet-accessible web servers; I quickly checked most and do not see any increase in that type of traffic to any of them. Backing up the header data, I'm getting packet data captures from snort on the IDS when a code red probe targets specific addresses. I cannot do that for every single bogus http probe because most of them target non-existant/unpopulated IP addresses. As of 12:00 EDT I've logged 331582 "bogus http requests", up from 648 yesterday, and I've logged 101 confirmed code red probes, up from zero the previous week. Just to be clear there are some assumptions that could be made either way with these numbers. Ken Eichman Senior Security Engineer Chemical Abstracts Service Tel: (614) 447-3838 ext 3230 2540 Olentangy River Road Fax: (614) 447-3855 Columbus, OH 43210 Email: keichman () cas org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- explanation (fwd) Alfred Huger (Aug 01)