Re: LaBrea escalates event volume

[Bill McCarty <bmccarty () apu edu>]

Hi James,

> From what I can make out, these are typical scans and probes. If they're at 
all unusual, they're unusual in volume, not characteristics.

The majority -- perhaps 75% -- are TCP connections to port 80. A large 
minority -- perhaps 10% -- are ICMP, mainly pings and replies. Then, we 
have the usual 21, 22, 111, 443, et cetera, making up the balance.

I chose to write custom alerts against these events because an attempt to 
access a non-existent host on a private network seemed to me to be at least 
somewhat hostile. The volume of non-custom Snort alerts that I see does not 
seem more than that reported by others.

--Bill

--On Monday, March 18, 2002 3:07 PM -0700 james <the_saint_james () yahoo com> 
wrote:

> > I recently deployed LaBrea and added Snort rules that generate alerts
> > when a foreign host interacts with a LaBrea phantom host. I've been
> > amazed at the amount of associated traffic.
> >
> > LaBrea only tarpits a host every few seconds. But, I see 4,000-10,000
> > attempted connections per hour against the phantom hosts. These don't
> > appear to be a concerted attack by one or a few individuals. The IP
> > addresses are quite varied and don't seem to reappear often. I'm simply
> > getting hit from everywhere.
>
> What is the nature of these "4,000-10,000 attempted connections per hour
> against the phantom hosts" ? (ie what port, exploit, ect)


---------------------------------------------------
Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management
Azusa Pacific University

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users