Re: LaBrea escalates event volume

[Chris Green <cmg () sourcefire com>]

Bill McCarty <bmccarty () apu edu> writes:

> Hi James,
>
> > From what I can make out, these are typical scans and probes. If
> > they're at
> all unusual, they're unusual in volume, not characteristics.
>
> The majority -- perhaps 75% -- are TCP connections to port 80. A large
> minority -- perhaps 10% -- are ICMP, mainly pings and replies. Then,
> we have the usual 21, 22, 111, 443, et cetera, making up the balance.
>
> I chose to write custom alerts against these events because an attempt
> to access a non-existent host on a private network seemed to me to be
> at least somewhat hostile. The volume of non-custom Snort alerts that
> I see does not seem more than that reported by others.

Ok knowing they are custom rules causes a lot less eyebrows to raise
up ;-)

75% are probably code red/nimda ( these machines have no webservers
correct? )

10% are probably ping sweeps

and the rest are the sweeps we all know and love <sigh>
-- 
Chris Green <cmg () sourcefire com>
You now have 14 minutes to reach minimum safe distance.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users