Re: Full Plate of Crow

[Russell Fulton <r.fulton () auckland ac nz>]

On Wed, 01 Aug 2001 11:52:09 -0400 Chris Brenton <cbrenton () altenet com> 
wrote:

> Alfred Huger wrote:
> >
>
>
> > Alot of the people mailing me last night and this morning were sending
> > firewall logs, not IDS logs.

I'm one of them.

> Agreed again. No packet decode, no confirmed hit. Otherwise we'll be
> looking at greatly skewed numbers. Using that criteria I could claim
> 14K+ Code Red infected systems back in April (oh wait, Code Red was not
> even around yet... ;).
I aso agree the we can not be certain that these are CR probes without 
IDS fingerprints.  That said my data (from argus logs) measuring SYN 
packets to non existant/firewalled machines shows and expoential 
increase starting at midnight UTC and now I am seeing over 40,000 
individual ips probing on port 80.  Starting at ^:35 (utc + 1200) I am 
also seeing hits on the snort .ida rules ( 70 in the last half hour).

All very odd!!


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com