explanation (fwd)

[Alfred Huger <ah () securityfocus com>]

VP Engineering
SecurityFocus.com
"Vae Victis"

---------- Forwarded message ----------
Date: Wed, 1 Aug 2001 12:31:30 -0400 (EDT)
From: Ken Eichman <keichman () cas org>
To: handler () incidents org, jullrich () euclidian com, cert () cert mil, cert () cert org,
     marc () eeye com, vicki () incidents org, nipc.watch () fbi gov, alanpaller () aol com,
     ah () securityfocus com
Cc: keichman () cas org, krichardson () cas org
Subject: explanation

Okay just to explain where I'm getting the numbers.  Like last
go-around, I'm recording tcp header info for all inbound traffic to our
class-b address space on our IDS.  Thowing out our 'valid' http traffic
I'm left with the bogus.  It could be superfluous misinformation thrown
in to the http traffic to skew/hide/whatever; HEADS, GET x, whatever.
We have 25 internet-accessible web servers; I quickly checked most and
do not see any increase in that type of traffic to any of them.

Backing up the header data, I'm getting packet data captures from snort
on the IDS when a code red probe targets specific addresses.  I cannot
do that for every single bogus http probe because most of them target
non-existant/unpopulated IP addresses.

As of 12:00 EDT I've logged 331582 "bogus http requests", up from 648
yesterday, and I've logged 101 confirmed code red probes, up from zero
the previous week.

Just to be clear there are some assumptions that could be made either way
with these numbers.

Ken Eichman                  Senior Security Engineer
Chemical Abstracts Service   Tel:   (614) 447-3838 ext 3230
2540 Olentangy River Road    Fax:   (614) 447-3855
Columbus, OH 43210           Email: keichman () cas org


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com